Vulnerability-Lookup

Vendor	Product	Description
Ubuntu	Ubuntu	Ubuntu 16.04 ESM
Ubuntu	Ubuntu	Ubuntu 20.04 ESM
Ubuntu	Ubuntu	Ubuntu 24.04 LTS
Ubuntu	Ubuntu	Ubuntu 25.04
Ubuntu	Ubuntu	Ubuntu 18.04 ESM
Ubuntu	Ubuntu	Ubuntu 24.10
Ubuntu	Ubuntu	Ubuntu 14.04 ESM
Ubuntu	Ubuntu	Ubuntu 22.04 LTS

CVE-2025-37855 (GCVE-0-2025-37855)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:42 – Updated: 2025-06-19 12:56

Title

drm/amd/display: Guard Possible Null Pointer Dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Guard Possible Null Pointer Dereference [WHY] In some situations, dc->res_pool may be null. [HOW] Check if pointer is null before dereference.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dc2de1ac7145f882f…
	https://git.kernel.org/stable/c/c87d202692de34ee7…

Impacted products

Vendor

Product

Version

Linux

Affected: 59fb2d0697de0fa9e48b98414420f5a59ca5583c , < dc2de1ac7145f882f3c03d2d6f84583ae7e35d41 (git)
Affected: 59fb2d0697de0fa9e48b98414420f5a59ca5583c , < c87d202692de34ee71d1fd4679a549a29095658a (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dc2de1ac7145f882f3c03d2d6f84583ae7e35d41",
              "status": "affected",
              "version": "59fb2d0697de0fa9e48b98414420f5a59ca5583c",
              "versionType": "git"
            },
            {
              "lessThan": "c87d202692de34ee71d1fd4679a549a29095658a",
              "status": "affected",
              "version": "59fb2d0697de0fa9e48b98414420f5a59ca5583c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Guard Possible Null Pointer Dereference\n\n[WHY]\nIn some situations, dc-\u003eres_pool may be null.\n\n[HOW]\nCheck if pointer is null before dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T12:56:48.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dc2de1ac7145f882f3c03d2d6f84583ae7e35d41"
        },
        {
          "url": "https://git.kernel.org/stable/c/c87d202692de34ee71d1fd4679a549a29095658a"
        }
      ],
      "title": "drm/amd/display: Guard Possible Null Pointer Dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37855",
    "datePublished": "2025-05-09T06:42:03.545Z",
    "dateReserved": "2025-04-16T04:51:23.956Z",
    "dateUpdated": "2025-06-19T12:56:48.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37744 (GCVE-0-2025-37744)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-09-03 13:06

Title

wifi: ath12k: fix memory leak in ath12k_pci_remove()

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath12k: fix memory leak in ath12k_pci_remove() Kmemleak reported this error: unreferenced object 0xffff1c165cec3060 (size 32): comm "insmod", pid 560, jiffies 4296964570 (age 235.596s) backtrace: [<000000005434db68>] __kmem_cache_alloc_node+0x1f4/0x2c0 [<000000001203b155>] kmalloc_trace+0x40/0x88 [<0000000028adc9c8>] _request_firmware+0xb8/0x608 [<00000000cad1aef7>] firmware_request_nowarn+0x50/0x80 [<000000005011a682>] local_pci_probe+0x48/0xd0 [<00000000077cd295>] pci_device_probe+0xb4/0x200 [<0000000087184c94>] really_probe+0x150/0x2c0 The firmware memory was allocated in ath12k_pci_probe(), but not freed in ath12k_pci_remove() in case ATH12K_FLAG_QMI_FAIL bit is set. So call ath12k_fw_unmap() to free the memory. Tested-on: WCN7850 hw2.0 PCI WLAN.HMT.2.0-02280-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/52e3132e62c31b5ad…
	https://git.kernel.org/stable/c/1b24394ed5c8a8d8f…

Impacted products

Vendor

Product

Version

Linux

Affected: fc38e9339c47d704934bc74e55c331f0d2d88583 , < 52e3132e62c31b5ade43dc4495fa81175e6e8398 (git)
Affected: fc38e9339c47d704934bc74e55c331f0d2d88583 , < 1b24394ed5c8a8d8f7b9e3aa9044c31495d46f2e (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "52e3132e62c31b5ade43dc4495fa81175e6e8398",
              "status": "affected",
              "version": "fc38e9339c47d704934bc74e55c331f0d2d88583",
              "versionType": "git"
            },
            {
              "lessThan": "1b24394ed5c8a8d8f7b9e3aa9044c31495d46f2e",
              "status": "affected",
              "version": "fc38e9339c47d704934bc74e55c331f0d2d88583",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath12k/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath12k: fix memory leak in ath12k_pci_remove()\n\nKmemleak reported this error:\n\n  unreferenced object 0xffff1c165cec3060 (size 32):\n    comm \"insmod\", pid 560, jiffies 4296964570 (age 235.596s)\n    backtrace:\n      [\u003c000000005434db68\u003e] __kmem_cache_alloc_node+0x1f4/0x2c0\n      [\u003c000000001203b155\u003e] kmalloc_trace+0x40/0x88\n      [\u003c0000000028adc9c8\u003e] _request_firmware+0xb8/0x608\n      [\u003c00000000cad1aef7\u003e] firmware_request_nowarn+0x50/0x80\n      [\u003c000000005011a682\u003e] local_pci_probe+0x48/0xd0\n      [\u003c00000000077cd295\u003e] pci_device_probe+0xb4/0x200\n      [\u003c0000000087184c94\u003e] really_probe+0x150/0x2c0\n\nThe firmware memory was allocated in ath12k_pci_probe(), but not\nfreed in ath12k_pci_remove() in case ATH12K_FLAG_QMI_FAIL bit is\nset. So call ath12k_fw_unmap() to free the memory.\n\nTested-on: WCN7850 hw2.0 PCI WLAN.HMT.2.0-02280-QCAHMTSWPL_V1.0_V2.0_SILICONZ-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T13:06:49.126Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/52e3132e62c31b5ade43dc4495fa81175e6e8398"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b24394ed5c8a8d8f7b9e3aa9044c31495d46f2e"
        }
      ],
      "title": "wifi: ath12k: fix memory leak in ath12k_pci_remove()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37744",
    "datePublished": "2025-05-01T12:55:51.983Z",
    "dateReserved": "2025-04-16T04:51:23.936Z",
    "dateUpdated": "2025-09-03T13:06:49.126Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21666 (GCVE-0-2025-21666)

Vulnerability from cvelistv5 – Published: 2025-01-31 11:25 – Updated: 2025-11-03 20:58

Title

vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]

Summary

In the Linux kernel, the following vulnerability has been resolved: vsock: prevent null-ptr-deref in vsock_*[has_data|has_space] Recent reports have shown how we sometimes call vsock_*_has_data() when a vsock socket has been de-assigned from a transport (see attached links), but we shouldn't. Previous commits should have solved the real problems, but we may have more in the future, so to avoid null-ptr-deref, we can return 0 (no space, no data available) but with a warning. This way the code should continue to run in a nearly consistent state and have a warning that allows us to debug future problems.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/daeac89cdb03d3002…
	https://git.kernel.org/stable/c/9e5fed46ccd2c34c5…
	https://git.kernel.org/stable/c/b52e50dd4fabd1294…
	https://git.kernel.org/stable/c/bc9c49341f9728c31…
	https://git.kernel.org/stable/c/c23d1d4f8efefb722…
	https://git.kernel.org/stable/c/91751e248256efc11…

Impacted products

Vendor

Product

Version

Linux

Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < daeac89cdb03d30028186f5ff7dc26ec8fa843e7 (git)
Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 9e5fed46ccd2c34c5fa5a9c8825ce4823fdc853e (git)
Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < b52e50dd4fabd12944172bd486a4f4853b7f74dd (git)
Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < bc9c49341f9728c31fe248c5fbba32d2e81a092b (git)
Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < c23d1d4f8efefb72258e9cedce29de10d057f8ca (git)
Affected: c0cfa2d8a788fcf45df5bf4070ab2474c88d543a , < 91751e248256efc111e52e15115840c35d85abaf (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.127 , ≤ 6.1.* (semver)
Unaffected: 6.6.74 , ≤ 6.6.* (semver)
Unaffected: 6.12.11 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21666",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:24.276957Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:12.729Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:44.611Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "daeac89cdb03d30028186f5ff7dc26ec8fa843e7",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "9e5fed46ccd2c34c5fa5a9c8825ce4823fdc853e",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "b52e50dd4fabd12944172bd486a4f4853b7f74dd",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "bc9c49341f9728c31fe248c5fbba32d2e81a092b",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "c23d1d4f8efefb72258e9cedce29de10d057f8ca",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            },
            {
              "lessThan": "91751e248256efc111e52e15115840c35d85abaf",
              "status": "affected",
              "version": "c0cfa2d8a788fcf45df5bf4070ab2474c88d543a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/vmw_vsock/af_vsock.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvsock: prevent null-ptr-deref in vsock_*[has_data|has_space]\n\nRecent reports have shown how we sometimes call vsock_*_has_data()\nwhen a vsock socket has been de-assigned from a transport (see attached\nlinks), but we shouldn\u0027t.\n\nPrevious commits should have solved the real problems, but we may have\nmore in the future, so to avoid null-ptr-deref, we can return 0\n(no space, no data available) but with a warning.\n\nThis way the code should continue to run in a nearly consistent state\nand have a warning that allows us to debug future problems."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:33.164Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/daeac89cdb03d30028186f5ff7dc26ec8fa843e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e5fed46ccd2c34c5fa5a9c8825ce4823fdc853e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b52e50dd4fabd12944172bd486a4f4853b7f74dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/bc9c49341f9728c31fe248c5fbba32d2e81a092b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c23d1d4f8efefb72258e9cedce29de10d057f8ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/91751e248256efc111e52e15115840c35d85abaf"
        }
      ],
      "title": "vsock: prevent null-ptr-deref in vsock_*[has_data|has_space]",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21666",
    "datePublished": "2025-01-31T11:25:31.138Z",
    "dateReserved": "2024-12-29T08:45:45.733Z",
    "dateUpdated": "2025-11-03T20:58:44.611Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37739 (GCVE-0-2025-37739)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-11-03 19:54

Title

f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()

Summary

In the Linux kernel, the following vulnerability has been resolved: f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks() syzbot reports an UBSAN issue as below: ------------[ cut here ]------------ UBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10 index 18446744073709550692 is out of range for type '__le32[5]' (aka 'unsigned int[5]') CPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 ubsan_epilogue lib/ubsan.c:231 [inline] __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429 get_nid fs/f2fs/node.h:381 [inline] f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181 f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808 f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836 f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886 f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093 aio_write+0x56b/0x7c0 fs/aio.c:1633 io_submit_one+0x8a7/0x18a0 fs/aio.c:2052 __do_sys_io_submit fs/aio.c:2111 [inline] __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f238798cde9 index 18446744073709550692 (decimal, unsigned long long) = 0xfffffffffffffc64 (hexadecimal, unsigned long long) = -924 (decimal, long long) In f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to access .i_nid[-924], it means both offset[0] and level should zero. The possible case should be in f2fs_do_truncate_blocks(), we try to truncate inode size to zero, however, dn.ofs_in_node is zero and dn.node_page is not an inode page, so it fails to truncate inode page, and then pass zeroed free_from to f2fs_truncate_inode_blocks(), result in this issue. if (dn.ofs_in_node || IS_INODE(dn.node_page)) { f2fs_truncate_data_blocks_range(&dn, count); free_from += count; } I guess the reason why dn.node_page is not an inode page could be: there are multiple nat entries share the same node block address, once the node block address was reused, f2fs_get_node_page() may load a non-inode block. Let's add a sanity check for such condition to avoid out-of-bounds access issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a67e1bf03c609a751…
	https://git.kernel.org/stable/c/67e16ccba74dd8de0…
	https://git.kernel.org/stable/c/98dbf2af63de0b551…
	https://git.kernel.org/stable/c/8b5e5aac44fee1229…
	https://git.kernel.org/stable/c/ecc461331604b07cd…
	https://git.kernel.org/stable/c/d7242fd7946d4cba0…
	https://git.kernel.org/stable/c/6ba8b41d0aa4b82f9…
	https://git.kernel.org/stable/c/e6494977bd4a83862…

Impacted products

Vendor

Product

Version

Linux

Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < a67e1bf03c609a751d1740a1789af25e599966fa (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 67e16ccba74dd8de0a7b10062f1e02d77432f573 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 98dbf2af63de0b551082c9bc48333910e009b09f (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 8b5e5aac44fee122947a269f9034c048e4c295de (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < ecc461331604b07cdbdb7360dbdf78471653264c (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < d7242fd7946d4cba0411effb6b5048ca55125747 (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < 6ba8b41d0aa4b82f90f0c416cb53fcef9696525d (git)
Affected: 98e4da8ca301e062d79ae168c67e56f3c3de3ce4 , < e6494977bd4a83862118a05f57a8df40256951c0 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:13.702Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/node.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a67e1bf03c609a751d1740a1789af25e599966fa",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "67e16ccba74dd8de0a7b10062f1e02d77432f573",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "98dbf2af63de0b551082c9bc48333910e009b09f",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "8b5e5aac44fee122947a269f9034c048e4c295de",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "ecc461331604b07cdbdb7360dbdf78471653264c",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "d7242fd7946d4cba0411effb6b5048ca55125747",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "6ba8b41d0aa4b82f90f0c416cb53fcef9696525d",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            },
            {
              "lessThan": "e6494977bd4a83862118a05f57a8df40256951c0",
              "status": "affected",
              "version": "98e4da8ca301e062d79ae168c67e56f3c3de3ce4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/f2fs/node.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nf2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()\n\nsyzbot reports an UBSAN issue as below:\n\n------------[ cut here ]------------\nUBSAN: array-index-out-of-bounds in fs/f2fs/node.h:381:10\nindex 18446744073709550692 is out of range for type \u0027__le32[5]\u0027 (aka \u0027unsigned int[5]\u0027)\nCPU: 0 UID: 0 PID: 5318 Comm: syz.0.0 Not tainted 6.14.0-rc3-syzkaller-00060-g6537cfb395f3 #0\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n ubsan_epilogue lib/ubsan.c:231 [inline]\n __ubsan_handle_out_of_bounds+0x121/0x150 lib/ubsan.c:429\n get_nid fs/f2fs/node.h:381 [inline]\n f2fs_truncate_inode_blocks+0xa5e/0xf60 fs/f2fs/node.c:1181\n f2fs_do_truncate_blocks+0x782/0x1030 fs/f2fs/file.c:808\n f2fs_truncate_blocks+0x10d/0x300 fs/f2fs/file.c:836\n f2fs_truncate+0x417/0x720 fs/f2fs/file.c:886\n f2fs_file_write_iter+0x1bdb/0x2550 fs/f2fs/file.c:5093\n aio_write+0x56b/0x7c0 fs/aio.c:1633\n io_submit_one+0x8a7/0x18a0 fs/aio.c:2052\n __do_sys_io_submit fs/aio.c:2111 [inline]\n __se_sys_io_submit+0x171/0x2e0 fs/aio.c:2081\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f238798cde9\n\nindex 18446744073709550692 (decimal, unsigned long long)\n= 0xfffffffffffffc64 (hexadecimal, unsigned long long)\n= -924 (decimal, long long)\n\nIn f2fs_truncate_inode_blocks(), UBSAN detects that get_nid() tries to\naccess .i_nid[-924], it means both offset[0] and level should zero.\n\nThe possible case should be in f2fs_do_truncate_blocks(), we try to\ntruncate inode size to zero, however, dn.ofs_in_node is zero and\ndn.node_page is not an inode page, so it fails to truncate inode page,\nand then pass zeroed free_from to f2fs_truncate_inode_blocks(), result\nin this issue.\n\n\tif (dn.ofs_in_node || IS_INODE(dn.node_page)) {\n\t\tf2fs_truncate_data_blocks_range(\u0026dn, count);\n\t\tfree_from += count;\n\t}\n\nI guess the reason why dn.node_page is not an inode page could be: there\nare multiple nat entries share the same node block address, once the node\nblock address was reused, f2fs_get_node_page() may load a non-inode block.\n\nLet\u0027s add a sanity check for such condition to avoid out-of-bounds access\nissue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T17:21:40.922Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a67e1bf03c609a751d1740a1789af25e599966fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/67e16ccba74dd8de0a7b10062f1e02d77432f573"
        },
        {
          "url": "https://git.kernel.org/stable/c/98dbf2af63de0b551082c9bc48333910e009b09f"
        },
        {
          "url": "https://git.kernel.org/stable/c/8b5e5aac44fee122947a269f9034c048e4c295de"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecc461331604b07cdbdb7360dbdf78471653264c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d7242fd7946d4cba0411effb6b5048ca55125747"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ba8b41d0aa4b82f90f0c416cb53fcef9696525d"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6494977bd4a83862118a05f57a8df40256951c0"
        }
      ],
      "title": "f2fs: fix to avoid out-of-bounds access in f2fs_truncate_inode_blocks()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37739",
    "datePublished": "2025-05-01T12:55:48.616Z",
    "dateReserved": "2025-04-16T04:51:23.936Z",
    "dateUpdated": "2025-11-03T19:54:13.702Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-58017 (GCVE-0-2024-58017)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:12 – Updated: 2025-11-03 19:33

Title

printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX

Summary

In the Linux kernel, the following vulnerability has been resolved: printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX Shifting 1 << 31 on a 32-bit int causes signed integer overflow, which leads to undefined behavior. To prevent this, cast 1 to u32 before performing the shift, ensuring well-defined behavior. This change explicitly avoids any potential overflow by ensuring that the shift occurs on an unsigned 32-bit integer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/54c14022fa2ba427d…
	https://git.kernel.org/stable/c/dfb7b179741ee0950…
	https://git.kernel.org/stable/c/bb8ff054e19fe27f4…
	https://git.kernel.org/stable/c/9a6d43844de2479a3…
	https://git.kernel.org/stable/c/4acf6bab775dbd22a…
	https://git.kernel.org/stable/c/404e5fd918a0b14ab…
	https://git.kernel.org/stable/c/4a2c4e7265b8eed83…
	https://git.kernel.org/stable/c/3d6f83df8ff2d5de8…

Impacted products

Vendor

Product

Version

Linux

Affected: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e , < 54c14022fa2ba427dc543455c2cf9225903a7174 (git)
Affected: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e , < dfb7b179741ee09506dc7719d92f9e1cea01f10e (git)
Affected: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e , < bb8ff054e19fe27f4e5eaac1b05e462894cfe9b1 (git)
Affected: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e , < 9a6d43844de2479a3ff8d674c3e2a16172e01598 (git)
Affected: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e , < 4acf6bab775dbd22a9a799030a808a7305e01d63 (git)
Affected: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e , < 404e5fd918a0b14abec06c7eca128f04c9b98e41 (git)
Affected: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e , < 4a2c4e7265b8eed83c25d86d702cea06493cab18 (git)
Affected: e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e , < 3d6f83df8ff2d5de84b50377e4f0d45e25311c7a (git)
Affected: 55b2c1ccb82143be1ed9e1922976dbe63917fe68 (git)
Affected: 089d475a4cdb5848998b3cb37e545413ed054784 (git)
Affected: 695583334b6b7f82c39ee124edfbfa48145ed571 (git)
Affected: 3404019d6d0f4c0108b77d44e97e2e39ca937e6f (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:33:36.689Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/printk/printk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "54c14022fa2ba427dc543455c2cf9225903a7174",
              "status": "affected",
              "version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
              "versionType": "git"
            },
            {
              "lessThan": "dfb7b179741ee09506dc7719d92f9e1cea01f10e",
              "status": "affected",
              "version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
              "versionType": "git"
            },
            {
              "lessThan": "bb8ff054e19fe27f4e5eaac1b05e462894cfe9b1",
              "status": "affected",
              "version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
              "versionType": "git"
            },
            {
              "lessThan": "9a6d43844de2479a3ff8d674c3e2a16172e01598",
              "status": "affected",
              "version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
              "versionType": "git"
            },
            {
              "lessThan": "4acf6bab775dbd22a9a799030a808a7305e01d63",
              "status": "affected",
              "version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
              "versionType": "git"
            },
            {
              "lessThan": "404e5fd918a0b14abec06c7eca128f04c9b98e41",
              "status": "affected",
              "version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
              "versionType": "git"
            },
            {
              "lessThan": "4a2c4e7265b8eed83c25d86d702cea06493cab18",
              "status": "affected",
              "version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
              "versionType": "git"
            },
            {
              "lessThan": "3d6f83df8ff2d5de84b50377e4f0d45e25311c7a",
              "status": "affected",
              "version": "e6fe3e5b7d16e8f146a4ae7fe481bc6e97acde1e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "55b2c1ccb82143be1ed9e1922976dbe63917fe68",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "089d475a4cdb5848998b3cb37e545413ed054784",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "695583334b6b7f82c39ee124edfbfa48145ed571",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3404019d6d0f4c0108b77d44e97e2e39ca937e6f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/printk/printk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.203",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.203",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.156",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.86",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nprintk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX\n\nShifting 1 \u003c\u003c 31 on a 32-bit int causes signed integer overflow, which\nleads to undefined behavior. To prevent this, cast 1 to u32 before\nperforming the shift, ensuring well-defined behavior.\n\nThis change explicitly avoids any potential overflow by ensuring that\nthe shift occurs on an unsigned 32-bit integer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T12:59:23.959Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/54c14022fa2ba427dc543455c2cf9225903a7174"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfb7b179741ee09506dc7719d92f9e1cea01f10e"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb8ff054e19fe27f4e5eaac1b05e462894cfe9b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a6d43844de2479a3ff8d674c3e2a16172e01598"
        },
        {
          "url": "https://git.kernel.org/stable/c/4acf6bab775dbd22a9a799030a808a7305e01d63"
        },
        {
          "url": "https://git.kernel.org/stable/c/404e5fd918a0b14abec06c7eca128f04c9b98e41"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a2c4e7265b8eed83c25d86d702cea06493cab18"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d6f83df8ff2d5de84b50377e4f0d45e25311c7a"
        }
      ],
      "title": "printk: Fix signed integer overflow when defining LOG_BUF_LEN_MAX",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58017",
    "datePublished": "2025-02-27T02:12:09.075Z",
    "dateReserved": "2025-02-27T02:10:48.228Z",
    "dateUpdated": "2025-11-03T19:33:36.689Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2021-47576 (GCVE-0-2021-47576)

Vulnerability from cvelistv5 – Published: 2024-06-19 14:53 – Updated: 2025-12-18 11:37

Title

scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() In resp_mode_select() sanity check the block descriptor len to avoid UAF. BUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 Read of size 1 at addr ffff888026670f50 by task scsicmd/15032 CPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Call Trace: <TASK> dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306 resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509 schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483 scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537 scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521 blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640 __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325 blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358 __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762 __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839 blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891 blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474 blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63 sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837 sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775 sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941 sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166 __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50 entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/adcecd50da6cab7b4…
	https://git.kernel.org/stable/c/90491283b40642206…
	https://git.kernel.org/stable/c/04181973c38f3d6a3…
	https://git.kernel.org/stable/c/b847ecff850719c46…
	https://git.kernel.org/stable/c/a9078e791426c2cbb…
	https://git.kernel.org/stable/c/dfc3fff63793c5711…
	https://git.kernel.org/stable/c/e0a2c28da11e2c2b9…

Impacted products

Vendor

Product

Version

Linux

Affected: 231839102b54512ced7d3ee7fc9b8bcf5e3b583b , < adcecd50da6cab7b4957cba0606771dcc846c5a9 (git)
Affected: 231839102b54512ced7d3ee7fc9b8bcf5e3b583b , < 90491283b4064220682e4b0687d07b05df01e3bf (git)
Affected: 231839102b54512ced7d3ee7fc9b8bcf5e3b583b , < 04181973c38f3d6a353f9246dcf7fee08024fd9e (git)
Affected: 231839102b54512ced7d3ee7fc9b8bcf5e3b583b , < b847ecff850719c46c95acd25a0d555dfd16e10d (git)
Affected: 231839102b54512ced7d3ee7fc9b8bcf5e3b583b , < a9078e791426c2cbbdf28a320c3670f6e0a611e6 (git)
Affected: 231839102b54512ced7d3ee7fc9b8bcf5e3b583b , < dfc3fff63793c571147930b13c0f8c689c4281ac (git)
Affected: 231839102b54512ced7d3ee7fc9b8bcf5e3b583b , < e0a2c28da11e2c2b963fc01d50acbf03045ac732 (git)

Linux

Affected: 2.6.19
Unaffected: 0 , < 2.6.19 (semver)
Unaffected: 4.9.294 , ≤ 4.9.* (semver)
Unaffected: 4.14.259 , ≤ 4.14.* (semver)
Unaffected: 4.19.222 , ≤ 4.19.* (semver)
Unaffected: 5.4.168 , ≤ 5.4.* (semver)
Unaffected: 5.10.88 , ≤ 5.10.* (semver)
Unaffected: 5.15.11 , ≤ 5.15.* (semver)
Unaffected: 5.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T05:39:59.644Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/adcecd50da6cab7b4957cba0606771dcc846c5a9"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/90491283b4064220682e4b0687d07b05df01e3bf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/04181973c38f3d6a353f9246dcf7fee08024fd9e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b847ecff850719c46c95acd25a0d555dfd16e10d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/a9078e791426c2cbbdf28a320c3670f6e0a611e6"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/dfc3fff63793c571147930b13c0f8c689c4281ac"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/e0a2c28da11e2c2b963fc01d50acbf03045ac732"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2021-47576",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T17:12:55.832156Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:53.167Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/scsi_debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "adcecd50da6cab7b4957cba0606771dcc846c5a9",
              "status": "affected",
              "version": "231839102b54512ced7d3ee7fc9b8bcf5e3b583b",
              "versionType": "git"
            },
            {
              "lessThan": "90491283b4064220682e4b0687d07b05df01e3bf",
              "status": "affected",
              "version": "231839102b54512ced7d3ee7fc9b8bcf5e3b583b",
              "versionType": "git"
            },
            {
              "lessThan": "04181973c38f3d6a353f9246dcf7fee08024fd9e",
              "status": "affected",
              "version": "231839102b54512ced7d3ee7fc9b8bcf5e3b583b",
              "versionType": "git"
            },
            {
              "lessThan": "b847ecff850719c46c95acd25a0d555dfd16e10d",
              "status": "affected",
              "version": "231839102b54512ced7d3ee7fc9b8bcf5e3b583b",
              "versionType": "git"
            },
            {
              "lessThan": "a9078e791426c2cbbdf28a320c3670f6e0a611e6",
              "status": "affected",
              "version": "231839102b54512ced7d3ee7fc9b8bcf5e3b583b",
              "versionType": "git"
            },
            {
              "lessThan": "dfc3fff63793c571147930b13c0f8c689c4281ac",
              "status": "affected",
              "version": "231839102b54512ced7d3ee7fc9b8bcf5e3b583b",
              "versionType": "git"
            },
            {
              "lessThan": "e0a2c28da11e2c2b963fc01d50acbf03045ac732",
              "status": "affected",
              "version": "231839102b54512ced7d3ee7fc9b8bcf5e3b583b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/scsi_debug.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.19"
            },
            {
              "lessThan": "2.6.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.9.*",
              "status": "unaffected",
              "version": "4.9.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.14.*",
              "status": "unaffected",
              "version": "4.14.259",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.222",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.9.294",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.14.259",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.222",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.168",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.88",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.11",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.16",
                  "versionStartIncluding": "2.6.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()\n\nIn resp_mode_select() sanity check the block descriptor len to avoid UAF.\n\nBUG: KASAN: use-after-free in resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509\nRead of size 1 at addr ffff888026670f50 by task scsicmd/15032\n\nCPU: 1 PID: 15032 Comm: scsicmd Not tainted 5.15.0-01d0625 #15\nHardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:107\n print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:257\n kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:443\n __asan_report_load1_noabort+0x14/0x20 mm/kasan/report_generic.c:306\n resp_mode_select+0xa4c/0xb40 drivers/scsi/scsi_debug.c:2509\n schedule_resp+0x4af/0x1a10 drivers/scsi/scsi_debug.c:5483\n scsi_debug_queuecommand+0x8c9/0x1e70 drivers/scsi/scsi_debug.c:7537\n scsi_queue_rq+0x16b4/0x2d10 drivers/scsi/scsi_lib.c:1521\n blk_mq_dispatch_rq_list+0xb9b/0x2700 block/blk-mq.c:1640\n __blk_mq_sched_dispatch_requests+0x28f/0x590 block/blk-mq-sched.c:325\n blk_mq_sched_dispatch_requests+0x105/0x190 block/blk-mq-sched.c:358\n __blk_mq_run_hw_queue+0xe5/0x150 block/blk-mq.c:1762\n __blk_mq_delay_run_hw_queue+0x4f8/0x5c0 block/blk-mq.c:1839\n blk_mq_run_hw_queue+0x18d/0x350 block/blk-mq.c:1891\n blk_mq_sched_insert_request+0x3db/0x4e0 block/blk-mq-sched.c:474\n blk_execute_rq_nowait+0x16b/0x1c0 block/blk-exec.c:63\n sg_common_write.isra.18+0xeb3/0x2000 drivers/scsi/sg.c:837\n sg_new_write.isra.19+0x570/0x8c0 drivers/scsi/sg.c:775\n sg_ioctl_common+0x14d6/0x2710 drivers/scsi/sg.c:941\n sg_ioctl+0xa2/0x180 drivers/scsi/sg.c:1166\n __x64_sys_ioctl+0x19d/0x220 fs/ioctl.c:52\n do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:50\n entry_SYSCALL_64_after_hwframe+0x44/0xae arch/x86/entry/entry_64.S:113"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-18T11:37:54.864Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/adcecd50da6cab7b4957cba0606771dcc846c5a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/90491283b4064220682e4b0687d07b05df01e3bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/04181973c38f3d6a353f9246dcf7fee08024fd9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/b847ecff850719c46c95acd25a0d555dfd16e10d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9078e791426c2cbbdf28a320c3670f6e0a611e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/dfc3fff63793c571147930b13c0f8c689c4281ac"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0a2c28da11e2c2b963fc01d50acbf03045ac732"
        }
      ],
      "title": "scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2021-47576",
    "datePublished": "2024-06-19T14:53:44.725Z",
    "dateReserved": "2024-05-24T15:11:00.730Z",
    "dateUpdated": "2025-12-18T11:37:54.864Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22070 (GCVE-0-2025-22070)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-10-01 16:16

Title

fs/9p: fix NULL pointer dereference on mkdir

Summary

In the Linux kernel, the following vulnerability has been resolved: fs/9p: fix NULL pointer dereference on mkdir When a 9p tree was mounted with option 'posixacl', parent directory had a default ACL set for its subdirectories, e.g.: setfacl -m default:group:simpsons:rwx parentdir then creating a subdirectory crashed 9p client, as v9fs_fid_add() call in function v9fs_vfs_mkdir_dotl() sets the passed 'fid' pointer to NULL (since dafbe689736) even though the subsequent v9fs_set_create_acl() call expects a valid non-NULL 'fid' pointer: [ 37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000 ... [ 37.322338] Call Trace: [ 37.323043] <TASK> [ 37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434) [ 37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714) [ 37.325532] ? search_module_extables (kernel/module/main.c:3733) [ 37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.328006] ? search_bpf_extables (kernel/bpf/core.c:804) [ 37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538) [ 37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574) [ 37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet [ 37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p [ 37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p [ 37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p [ 37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p [ 37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p [ 37.338590] vfs_mkdir (fs/namei.c:4313) [ 37.339535] do_mkdirat (fs/namei.c:4336) [ 37.340465] __x64_sys_mkdir (fs/namei.c:4354) [ 37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83) [ 37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) Fix this by simply swapping the sequence of these two calls in v9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before v9fs_fid_add().

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8522051c58d68146b…
	https://git.kernel.org/stable/c/2139dea5c53e3bb63…
	https://git.kernel.org/stable/c/6517b395cb1e43fbf…
	https://git.kernel.org/stable/c/3f61ac7c65bdb26ac…

Impacted products

Vendor

Product

Version

Linux

Affected: dafbe689736f62c696ac64809b17bdc752cfbe76 , < 8522051c58d68146b93e8a5ba9987e83b3d64e7b (git)
Affected: dafbe689736f62c696ac64809b17bdc752cfbe76 , < 2139dea5c53e3bb63ac49a6901c85e525a80ee8a (git)
Affected: dafbe689736f62c696ac64809b17bdc752cfbe76 , < 6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e (git)
Affected: dafbe689736f62c696ac64809b17bdc752cfbe76 , < 3f61ac7c65bdb26accb52f9db66313597e759821 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22070",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T16:15:56.459715Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T16:16:00.918Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/9p/vfs_inode_dotl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8522051c58d68146b93e8a5ba9987e83b3d64e7b",
              "status": "affected",
              "version": "dafbe689736f62c696ac64809b17bdc752cfbe76",
              "versionType": "git"
            },
            {
              "lessThan": "2139dea5c53e3bb63ac49a6901c85e525a80ee8a",
              "status": "affected",
              "version": "dafbe689736f62c696ac64809b17bdc752cfbe76",
              "versionType": "git"
            },
            {
              "lessThan": "6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e",
              "status": "affected",
              "version": "dafbe689736f62c696ac64809b17bdc752cfbe76",
              "versionType": "git"
            },
            {
              "lessThan": "3f61ac7c65bdb26accb52f9db66313597e759821",
              "status": "affected",
              "version": "dafbe689736f62c696ac64809b17bdc752cfbe76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/9p/vfs_inode_dotl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs/9p: fix NULL pointer dereference on mkdir\n\nWhen a 9p tree was mounted with option \u0027posixacl\u0027, parent directory had a\ndefault ACL set for its subdirectories, e.g.:\n\n  setfacl -m default:group:simpsons:rwx parentdir\n\nthen creating a subdirectory crashed 9p client, as v9fs_fid_add() call in\nfunction v9fs_vfs_mkdir_dotl() sets the passed \u0027fid\u0027 pointer to NULL\n(since dafbe689736) even though the subsequent v9fs_set_create_acl() call\nexpects a valid non-NULL \u0027fid\u0027 pointer:\n\n  [   37.273191] BUG: kernel NULL pointer dereference, address: 0000000000000000\n  ...\n  [   37.322338] Call Trace:\n  [   37.323043]  \u003cTASK\u003e\n  [   37.323621] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)\n  [   37.324448] ? page_fault_oops (arch/x86/mm/fault.c:714)\n  [   37.325532] ? search_module_extables (kernel/module/main.c:3733)\n  [   37.326742] ? p9_client_walk (net/9p/client.c:1165) 9pnet\n  [   37.328006] ? search_bpf_extables (kernel/bpf/core.c:804)\n  [   37.329142] ? exc_page_fault (./arch/x86/include/asm/paravirt.h:686 arch/x86/mm/fault.c:1488 arch/x86/mm/fault.c:1538)\n  [   37.330196] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:574)\n  [   37.331330] ? p9_client_walk (net/9p/client.c:1165) 9pnet\n  [   37.332562] ? v9fs_fid_xattr_get (fs/9p/xattr.c:30) 9p\n  [   37.333824] v9fs_fid_xattr_set (fs/9p/fid.h:23 fs/9p/xattr.c:121) 9p\n  [   37.335077] v9fs_set_acl (fs/9p/acl.c:276) 9p\n  [   37.336112] v9fs_set_create_acl (fs/9p/acl.c:307) 9p\n  [   37.337326] v9fs_vfs_mkdir_dotl (fs/9p/vfs_inode_dotl.c:411) 9p\n  [   37.338590] vfs_mkdir (fs/namei.c:4313)\n  [   37.339535] do_mkdirat (fs/namei.c:4336)\n  [   37.340465] __x64_sys_mkdir (fs/namei.c:4354)\n  [   37.341455] do_syscall_64 (arch/x86/entry/common.c:52 arch/x86/entry/common.c:83)\n  [   37.342447] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)\n\nFix this by simply swapping the sequence of these two calls in\nv9fs_vfs_mkdir_dotl(), i.e. calling v9fs_set_create_acl() before\nv9fs_fid_add()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:48.958Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8522051c58d68146b93e8a5ba9987e83b3d64e7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/2139dea5c53e3bb63ac49a6901c85e525a80ee8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6517b395cb1e43fbf3962dd93e6fb4a5e5ab100e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f61ac7c65bdb26accb52f9db66313597e759821"
        }
      ],
      "title": "fs/9p: fix NULL pointer dereference on mkdir",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22070",
    "datePublished": "2025-04-16T14:12:23.295Z",
    "dateReserved": "2024-12-29T08:45:45.814Z",
    "dateUpdated": "2025-10-01T16:16:00.918Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22039 (GCVE-0-2025-22039)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-05-26 05:17

Title

ksmbd: fix overflow in dacloffset bounds check

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix overflow in dacloffset bounds check The dacloffset field was originally typed as int and used in an unchecked addition, which could overflow and bypass the existing bounds check in both smb_check_perm_dacl() and smb_inherit_dacl(). This could result in out-of-bounds memory access and a kernel crash when dereferencing the DACL pointer. This patch converts dacloffset to unsigned int and uses check_add_overflow() to validate access to the DACL.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6a9cd9ff0fa2bcc30…
	https://git.kernel.org/stable/c/6b8d379048b168a0d…
	https://git.kernel.org/stable/c/443b373a4df5a2cb9…
	https://git.kernel.org/stable/c/beff0bc9d69bc8e73…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 6a9cd9ff0fa2bcc30b2bfb8bdb161eb20e44b9dc (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 6b8d379048b168a0dff5ab1acb975b933f368514 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 443b373a4df5a2cb9f7b8c4658b2afedeb16397f (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < beff0bc9d69bc8e733f9bca28e2d3df5b3e10e42 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smbacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6a9cd9ff0fa2bcc30b2bfb8bdb161eb20e44b9dc",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "6b8d379048b168a0dff5ab1acb975b933f368514",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "443b373a4df5a2cb9f7b8c4658b2afedeb16397f",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "beff0bc9d69bc8e733f9bca28e2d3df5b3e10e42",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smbacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix overflow in dacloffset bounds check\n\nThe dacloffset field was originally typed as int and used in an\nunchecked addition, which could overflow and bypass the existing\nbounds check in both smb_check_perm_dacl() and smb_inherit_dacl().\n\nThis could result in out-of-bounds memory access and a kernel crash\nwhen dereferencing the DACL pointer.\n\nThis patch converts dacloffset to unsigned int and uses\ncheck_add_overflow() to validate access to the DACL."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:08.699Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6a9cd9ff0fa2bcc30b2bfb8bdb161eb20e44b9dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b8d379048b168a0dff5ab1acb975b933f368514"
        },
        {
          "url": "https://git.kernel.org/stable/c/443b373a4df5a2cb9f7b8c4658b2afedeb16397f"
        },
        {
          "url": "https://git.kernel.org/stable/c/beff0bc9d69bc8e733f9bca28e2d3df5b3e10e42"
        }
      ],
      "title": "ksmbd: fix overflow in dacloffset bounds check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22039",
    "datePublished": "2025-04-16T14:11:56.975Z",
    "dateReserved": "2024-12-29T08:45:45.809Z",
    "dateUpdated": "2025-05-26T05:17:08.699Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22095 (GCVE-0-2025-22095)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-11-03 19:42

Title

PCI: brcmstb: Fix error path after a call to regulator_bulk_get()

Summary

In the Linux kernel, the following vulnerability has been resolved: PCI: brcmstb: Fix error path after a call to regulator_bulk_get() If the regulator_bulk_get() returns an error and no regulators are created, we need to set their number to zero. If we don't do this and the PCIe link up fails, a call to the regulator_bulk_free() will result in a kernel panic. While at it, print the error value, as we cannot return an error upwards as the kernel will WARN() on an error from add_bus(). [kwilczynski: commit log, use comma in the message to match style with other similar messages]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/99a0efba9f903acbd…
	https://git.kernel.org/stable/c/eedd054834930b8d6…
	https://git.kernel.org/stable/c/df63321a40cc98e52…
	https://git.kernel.org/stable/c/7842e842a9bf6bd58…
	https://git.kernel.org/stable/c/6f44e1fdb006db613…
	https://git.kernel.org/stable/c/3651ad5249c51cf7e…

Impacted products

Vendor

Product

Version

Linux

Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < 99a0efba9f903acbdece548862b6b4cbe7d999e1 (git)
Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < eedd054834930b8d678f0776cd4b091b8fffbb4a (git)
Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < df63321a40cc98e52313cffbff376b8ae9ceffa7 (git)
Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < 7842e842a9bf6bd5866c84f588353711d131ab1a (git)
Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < 6f44e1fdb006db61394aa4d4c25728ada00842e7 (git)
Affected: 9e6be018b26347c26a93e63fb50a37ee2c9311de , < 3651ad5249c51cf7eee078e12612557040a6bdb4 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:11.748Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/pcie-brcmstb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "99a0efba9f903acbdece548862b6b4cbe7d999e1",
              "status": "affected",
              "version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
              "versionType": "git"
            },
            {
              "lessThan": "eedd054834930b8d678f0776cd4b091b8fffbb4a",
              "status": "affected",
              "version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
              "versionType": "git"
            },
            {
              "lessThan": "df63321a40cc98e52313cffbff376b8ae9ceffa7",
              "status": "affected",
              "version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
              "versionType": "git"
            },
            {
              "lessThan": "7842e842a9bf6bd5866c84f588353711d131ab1a",
              "status": "affected",
              "version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
              "versionType": "git"
            },
            {
              "lessThan": "6f44e1fdb006db61394aa4d4c25728ada00842e7",
              "status": "affected",
              "version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
              "versionType": "git"
            },
            {
              "lessThan": "3651ad5249c51cf7eee078e12612557040a6bdb4",
              "status": "affected",
              "version": "9e6be018b26347c26a93e63fb50a37ee2c9311de",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pci/controller/pcie-brcmstb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPCI: brcmstb: Fix error path after a call to regulator_bulk_get()\n\nIf the regulator_bulk_get() returns an error and no regulators\nare created, we need to set their number to zero.\n\nIf we don\u0027t do this and the PCIe link up fails, a call to the\nregulator_bulk_free() will result in a kernel panic.\n\nWhile at it, print the error value, as we cannot return an error\nupwards as the kernel will WARN() on an error from add_bus().\n\n[kwilczynski: commit log, use comma in the message to match style with\nother similar messages]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:21.435Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/99a0efba9f903acbdece548862b6b4cbe7d999e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/eedd054834930b8d678f0776cd4b091b8fffbb4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/df63321a40cc98e52313cffbff376b8ae9ceffa7"
        },
        {
          "url": "https://git.kernel.org/stable/c/7842e842a9bf6bd5866c84f588353711d131ab1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f44e1fdb006db61394aa4d4c25728ada00842e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/3651ad5249c51cf7eee078e12612557040a6bdb4"
        }
      ],
      "title": "PCI: brcmstb: Fix error path after a call to regulator_bulk_get()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22095",
    "datePublished": "2025-04-16T14:12:46.226Z",
    "dateReserved": "2024-12-29T08:45:45.818Z",
    "dateUpdated": "2025-11-03T19:42:11.748Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21875 (GCVE-0-2025-21875)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-11-03 19:38

Title

mptcp: always handle address removal under msk socket lock

Summary

In the Linux kernel, the following vulnerability has been resolved: mptcp: always handle address removal under msk socket lock Syzkaller reported a lockdep splat in the PM control path: WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline] WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Modules linked in: CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0 Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024 RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline] RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline] RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788 Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 <0f> 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283 RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000 RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408 RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000 R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0 R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00 FS: 00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59 mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486 mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline] mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629 genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline] genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210 netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543 genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892 sock_sendmsg_nosec net/socket.c:718 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:733 ____sys_sendmsg+0x53a/0x860 net/socket.c:2573 ___sys_sendmsg net/socket.c:2627 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2659 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f7e9998cde9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9 RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007 RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088 Indeed the PM can try to send a RM_ADDR over a msk without acquiring first the msk socket lock. The bugged code-path comes from an early optimization: when there are no subflows, the PM should (usually) not send RM_ADDR notifications. The above statement is incorrect, as without locks another process could concur ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/494ec285535632732…
	https://git.kernel.org/stable/c/7cca31035c0581964…
	https://git.kernel.org/stable/c/8116fb4acd5d3f06c…
	https://git.kernel.org/stable/c/a05da2be18aae7e82…
	https://git.kernel.org/stable/c/4124b782ec2b1e2e4…
	https://git.kernel.org/stable/c/2c3de6dff4373f103…
	https://git.kernel.org/stable/c/f865c24bc55158313…

Impacted products

Vendor

Product

Version

Linux

Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 494ec285535632732eaa5786297a9ae4f731b5ff (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 7cca31035c05819643ffb5d7518e9a331b3f6651 (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 8116fb4acd5d3f06cd37f84887dbe962b6703b1c (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < a05da2be18aae7e82572f8d795f41bb49f5dfc7d (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 4124b782ec2b1e2e490cf0bbf10f53dfd3479890 (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < 2c3de6dff4373f1036e003f49a32629359530bdb (git)
Affected: b6c08380860b926752d57c8fa9911fa388c4b876 , < f865c24bc55158313d5779fc81116023a6940ca3 (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:31.794Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "494ec285535632732eaa5786297a9ae4f731b5ff",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "7cca31035c05819643ffb5d7518e9a331b3f6651",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "8116fb4acd5d3f06cd37f84887dbe962b6703b1c",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "a05da2be18aae7e82572f8d795f41bb49f5dfc7d",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "4124b782ec2b1e2e490cf0bbf10f53dfd3479890",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "2c3de6dff4373f1036e003f49a32629359530bdb",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            },
            {
              "lessThan": "f865c24bc55158313d5779fc81116023a6940ca3",
              "status": "affected",
              "version": "b6c08380860b926752d57c8fa9911fa388c4b876",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mptcp/pm_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmptcp: always handle address removal under msk socket lock\n\nSyzkaller reported a lockdep splat in the PM control path:\n\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 sock_owned_by_me include/net/sock.h:1711 [inline]\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n  WARNING: CPU: 0 PID: 6693 at ./include/net/sock.h:1711 mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n  Modules linked in:\n  CPU: 0 UID: 0 PID: 6693 Comm: syz.0.205 Not tainted 6.14.0-rc2-syzkaller-00303-gad1b832bf1cf #0\n  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 12/27/2024\n  RIP: 0010:sock_owned_by_me include/net/sock.h:1711 [inline]\n  RIP: 0010:msk_owned_by_me net/mptcp/protocol.h:363 [inline]\n  RIP: 0010:mptcp_pm_nl_addr_send_ack+0x57c/0x610 net/mptcp/pm_netlink.c:788\n  Code: 5b 41 5c 41 5d 41 5e 41 5f 5d c3 cc cc cc cc e8 ca 7b d3 f5 eb b9 e8 c3 7b d3 f5 90 0f 0b 90 e9 dd fb ff ff e8 b5 7b d3 f5 90 \u003c0f\u003e 0b 90 e9 3e fb ff ff 44 89 f1 80 e1 07 38 c1 0f 8c eb fb ff ff\n  RSP: 0000:ffffc900034f6f60 EFLAGS: 00010283\n  RAX: ffffffff8bee3c2b RBX: 0000000000000001 RCX: 0000000000080000\n  RDX: ffffc90004d42000 RSI: 000000000000a407 RDI: 000000000000a408\n  RBP: ffffc900034f7030 R08: ffffffff8bee37f6 R09: 0100000000000000\n  R10: dffffc0000000000 R11: ffffed100bcc62e4 R12: ffff88805e6316e0\n  R13: ffff88805e630c00 R14: dffffc0000000000 R15: ffff88805e630c00\n  FS:  00007f7e9a7e96c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000001b2fd18ff8 CR3: 0000000032c24000 CR4: 00000000003526f0\n  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n  Call Trace:\n   \u003cTASK\u003e\n   mptcp_pm_remove_addr+0x103/0x1d0 net/mptcp/pm.c:59\n   mptcp_pm_remove_anno_addr+0x1f4/0x2f0 net/mptcp/pm_netlink.c:1486\n   mptcp_nl_remove_subflow_and_signal_addr net/mptcp/pm_netlink.c:1518 [inline]\n   mptcp_pm_nl_del_addr_doit+0x118d/0x1af0 net/mptcp/pm_netlink.c:1629\n   genl_family_rcv_msg_doit net/netlink/genetlink.c:1115 [inline]\n   genl_family_rcv_msg net/netlink/genetlink.c:1195 [inline]\n   genl_rcv_msg+0xb1f/0xec0 net/netlink/genetlink.c:1210\n   netlink_rcv_skb+0x206/0x480 net/netlink/af_netlink.c:2543\n   genl_rcv+0x28/0x40 net/netlink/genetlink.c:1219\n   netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n   netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1348\n   netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1892\n   sock_sendmsg_nosec net/socket.c:718 [inline]\n   __sock_sendmsg+0x221/0x270 net/socket.c:733\n   ____sys_sendmsg+0x53a/0x860 net/socket.c:2573\n   ___sys_sendmsg net/socket.c:2627 [inline]\n   __sys_sendmsg+0x269/0x350 net/socket.c:2659\n   do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n   do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n   entry_SYSCALL_64_after_hwframe+0x77/0x7f\n  RIP: 0033:0x7f7e9998cde9\n  Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48\n  RSP: 002b:00007f7e9a7e9038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\n  RAX: ffffffffffffffda RBX: 00007f7e99ba5fa0 RCX: 00007f7e9998cde9\n  RDX: 000000002000c094 RSI: 0000400000000000 RDI: 0000000000000007\n  RBP: 00007f7e99a0e2a0 R08: 0000000000000000 R09: 0000000000000000\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 0000000000000000 R14: 00007f7e99ba5fa0 R15: 00007fff49231088\n\nIndeed the PM can try to send a RM_ADDR over a msk without acquiring\nfirst the msk socket lock.\n\nThe bugged code-path comes from an early optimization: when there\nare no subflows, the PM should (usually) not send RM_ADDR\nnotifications.\n\nThe above statement is incorrect, as without locks another process\ncould concur\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:01.132Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/494ec285535632732eaa5786297a9ae4f731b5ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/7cca31035c05819643ffb5d7518e9a331b3f6651"
        },
        {
          "url": "https://git.kernel.org/stable/c/8116fb4acd5d3f06cd37f84887dbe962b6703b1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/a05da2be18aae7e82572f8d795f41bb49f5dfc7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/4124b782ec2b1e2e490cf0bbf10f53dfd3479890"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c3de6dff4373f1036e003f49a32629359530bdb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f865c24bc55158313d5779fc81116023a6940ca3"
        }
      ],
      "title": "mptcp: always handle address removal under msk socket lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21875",
    "datePublished": "2025-03-27T14:57:06.154Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-11-03T19:38:31.794Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21877 (GCVE-0-2025-21877)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-11-03 19:38

Title

usbnet: gl620a: fix endpoint checking in genelink_bind()

Summary

In the Linux kernel, the following vulnerability has been resolved: usbnet: gl620a: fix endpoint checking in genelink_bind() Syzbot reports [1] a warning in usb_submit_urb() triggered by inconsistencies between expected and actually present endpoints in gl620a driver. Since genelink_bind() does not properly verify whether specified eps are in fact provided by the device, in this case, an artificially manufactured one, one may get a mismatch. Fix the issue by resorting to a usbnet utility function usbnet_get_endpoints(), usually reserved for this very problem. Check for endpoints and return early before proceeding further if any are missing. [1] Syzbot report: usb 5-1: Manufacturer: syz usb 5-1: SerialNumber: syz usb 5-1: config 0 descriptor?? gl620a 5-1:0.23 usb0: register 'gl620a' at usb-dummy_hcd.0-1, ... ------------[ cut here ]------------ usb 5-1: BOGUS urb xfer, pipe 3 != type 1 WARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 Modules linked in: CPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014 Workqueue: mld mld_ifc_work RIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503 ... Call Trace: <TASK> usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467 __netdev_start_xmit include/linux/netdevice.h:5002 [inline] netdev_start_xmit include/linux/netdevice.h:5011 [inline] xmit_one net/core/dev.c:3590 [inline] dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606 sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343 __dev_xmit_skb net/core/dev.c:3827 [inline] __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400 dev_queue_xmit include/linux/netdevice.h:3168 [inline] neigh_resolve_output net/core/neighbour.c:1514 [inline] neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494 neigh_output include/net/neighbour.h:539 [inline] ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141 __ip6_finish_output net/ipv6/ip6_output.c:215 [inline] ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226 NF_HOOK_COND include/linux/netfilter.h:303 [inline] ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247 dst_output include/net/dst.h:450 [inline] NF_HOOK include/linux/netfilter.h:314 [inline] NF_HOOK include/linux/netfilter.h:308 [inline] mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819 mld_send_cr net/ipv6/mcast.c:2120 [inline] mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651 process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229 process_scheduled_works kernel/workqueue.c:3310 [inline] worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391 kthread+0x2c1/0x3a0 kernel/kthread.c:389 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5f2dbabbce04b1ffc…
	https://git.kernel.org/stable/c/24dd971104057c882…
	https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb2…
	https://git.kernel.org/stable/c/67ebc3391c8377738…
	https://git.kernel.org/stable/c/a2ee5e55b50a97d13…
	https://git.kernel.org/stable/c/4e8b8d43373bf837b…
	https://git.kernel.org/stable/c/ded25730c96949cb8…
	https://git.kernel.org/stable/c/1cf9631d836b289bd…

Impacted products

Vendor

Product

Version

Linux

Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 5f2dbabbce04b1ffcd6d8d07564adb94db577536 (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 24dd971104057c8828d420a48e0a5af6e6f30d3e (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 67ebc3391c8377738e97a43374054d9718fdb6e4 (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < a2ee5e55b50a97d13617c8653482c0ad4decff8c (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 4e8b8d43373bf837be159366f0192502f97ec7a5 (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < ded25730c96949cb8b048b29c557e38569124943 (git)
Affected: 47ee3051c856cc2aa95d35d577a8cb37279d540f , < 1cf9631d836b289bd5490776551961c883ae8a4f (git)

Linux

Affected: 2.6.14
Unaffected: 0 , < 2.6.14 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:34.566Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/gl620a.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5f2dbabbce04b1ffcd6d8d07564adb94db577536",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "24dd971104057c8828d420a48e0a5af6e6f30d3e",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "67ebc3391c8377738e97a43374054d9718fdb6e4",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "a2ee5e55b50a97d13617c8653482c0ad4decff8c",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "4e8b8d43373bf837be159366f0192502f97ec7a5",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "ded25730c96949cb8b048b29c557e38569124943",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            },
            {
              "lessThan": "1cf9631d836b289bd5490776551961c883ae8a4f",
              "status": "affected",
              "version": "47ee3051c856cc2aa95d35d577a8cb37279d540f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/usb/gl620a.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.14"
            },
            {
              "lessThan": "2.6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusbnet: gl620a: fix endpoint checking in genelink_bind()\n\nSyzbot reports [1] a warning in usb_submit_urb() triggered by\ninconsistencies between expected and actually present endpoints\nin gl620a driver. Since genelink_bind() does not properly\nverify whether specified eps are in fact provided by the device,\nin this case, an artificially manufactured one, one may get a\nmismatch.\n\nFix the issue by resorting to a usbnet utility function\nusbnet_get_endpoints(), usually reserved for this very problem.\nCheck for endpoints and return early before proceeding further if\nany are missing.\n\n[1] Syzbot report:\nusb 5-1: Manufacturer: syz\nusb 5-1: SerialNumber: syz\nusb 5-1: config 0 descriptor??\ngl620a 5-1:0.23 usb0: register \u0027gl620a\u0027 at usb-dummy_hcd.0-1, ...\n------------[ cut here ]------------\nusb 5-1: BOGUS urb xfer, pipe 3 != type 1\nWARNING: CPU: 2 PID: 1841 at drivers/usb/core/urb.c:503 usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\nModules linked in:\nCPU: 2 UID: 0 PID: 1841 Comm: kworker/2:2 Not tainted 6.12.0-syzkaller-07834-g06afb0f36106 #0\nHardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2~bpo12+1 04/01/2014\nWorkqueue: mld mld_ifc_work\nRIP: 0010:usb_submit_urb+0xe4b/0x1730 drivers/usb/core/urb.c:503\n...\nCall Trace:\n \u003cTASK\u003e\n usbnet_start_xmit+0x6be/0x2780 drivers/net/usb/usbnet.c:1467\n __netdev_start_xmit include/linux/netdevice.h:5002 [inline]\n netdev_start_xmit include/linux/netdevice.h:5011 [inline]\n xmit_one net/core/dev.c:3590 [inline]\n dev_hard_start_xmit+0x9a/0x7b0 net/core/dev.c:3606\n sch_direct_xmit+0x1ae/0xc30 net/sched/sch_generic.c:343\n __dev_xmit_skb net/core/dev.c:3827 [inline]\n __dev_queue_xmit+0x13d4/0x43e0 net/core/dev.c:4400\n dev_queue_xmit include/linux/netdevice.h:3168 [inline]\n neigh_resolve_output net/core/neighbour.c:1514 [inline]\n neigh_resolve_output+0x5bc/0x950 net/core/neighbour.c:1494\n neigh_output include/net/neighbour.h:539 [inline]\n ip6_finish_output2+0xb1b/0x2070 net/ipv6/ip6_output.c:141\n __ip6_finish_output net/ipv6/ip6_output.c:215 [inline]\n ip6_finish_output+0x3f9/0x1360 net/ipv6/ip6_output.c:226\n NF_HOOK_COND include/linux/netfilter.h:303 [inline]\n ip6_output+0x1f8/0x540 net/ipv6/ip6_output.c:247\n dst_output include/net/dst.h:450 [inline]\n NF_HOOK include/linux/netfilter.h:314 [inline]\n NF_HOOK include/linux/netfilter.h:308 [inline]\n mld_sendpack+0x9f0/0x11d0 net/ipv6/mcast.c:1819\n mld_send_cr net/ipv6/mcast.c:2120 [inline]\n mld_ifc_work+0x740/0xca0 net/ipv6/mcast.c:2651\n process_one_work+0x9c5/0x1ba0 kernel/workqueue.c:3229\n process_scheduled_works kernel/workqueue.c:3310 [inline]\n worker_thread+0x6c8/0xf00 kernel/workqueue.c:3391\n kthread+0x2c1/0x3a0 kernel/kthread.c:389\n ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147\n ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:09.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5f2dbabbce04b1ffcd6d8d07564adb94db577536"
        },
        {
          "url": "https://git.kernel.org/stable/c/24dd971104057c8828d420a48e0a5af6e6f30d3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bcb8cbc3e5d67eb223bfb7e2291a270dbb699dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/67ebc3391c8377738e97a43374054d9718fdb6e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2ee5e55b50a97d13617c8653482c0ad4decff8c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e8b8d43373bf837be159366f0192502f97ec7a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/ded25730c96949cb8b048b29c557e38569124943"
        },
        {
          "url": "https://git.kernel.org/stable/c/1cf9631d836b289bd5490776551961c883ae8a4f"
        }
      ],
      "title": "usbnet: gl620a: fix endpoint checking in genelink_bind()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21877",
    "datePublished": "2025-03-27T14:57:07.462Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-11-03T19:38:34.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22120 (GCVE-0-2025-22120)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-05-26 05:18

Title

ext4: goto right label 'out_mmap_sem' in ext4_setattr()

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: goto right label 'out_mmap_sem' in ext4_setattr() Otherwise, if ext4_inode_attach_jinode() fails, a hung task will happen because filemap_invalidate_unlock() isn't called to unlock mapping->invalidate_lock. Like this: EXT4-fs error (device sda) in ext4_setattr:5557: Out of memory INFO: task fsstress:374 blocked for more than 122 seconds. Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. task:fsstress state:D stack:0 pid:374 tgid:374 ppid:373 task_flags:0x440140 flags:0x00000000 Call Trace: <TASK> __schedule+0x2c9/0x7f0 schedule+0x27/0xa0 schedule_preempt_disabled+0x15/0x30 rwsem_down_read_slowpath+0x278/0x4c0 down_read+0x59/0xb0 page_cache_ra_unbounded+0x65/0x1b0 filemap_get_pages+0x124/0x3e0 filemap_read+0x114/0x3d0 vfs_read+0x297/0x360 ksys_read+0x6c/0xe0 do_syscall_64+0x4b/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/551667f99bcf04fa5…
	https://git.kernel.org/stable/c/45314999f950321a3…
	https://git.kernel.org/stable/c/32d872e3905746ff1…
	https://git.kernel.org/stable/c/7e91ae31e2d264155…

Impacted products

Vendor

Product

Version

Linux

Affected: 93011887013dbaa0e3a0285176ca89be153df651 , < 551667f99bcf04fa58594d7d19aef73c861a1200 (git)
Affected: b6ce2dbe984bcd7fb0c1df15b5e2fa57e1574a8e , < 45314999f950321a341033ae8f9ac12dce40669b (git)
Affected: c7fc0366c65628fd69bfc310affec4918199aae2 , < 32d872e3905746ff1048078256cb00f946b97d8a (git)
Affected: c7fc0366c65628fd69bfc310affec4918199aae2 , < 7e91ae31e2d264155dfd102101afc2de7bd74a64 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "551667f99bcf04fa58594d7d19aef73c861a1200",
              "status": "affected",
              "version": "93011887013dbaa0e3a0285176ca89be153df651",
              "versionType": "git"
            },
            {
              "lessThan": "45314999f950321a341033ae8f9ac12dce40669b",
              "status": "affected",
              "version": "b6ce2dbe984bcd7fb0c1df15b5e2fa57e1574a8e",
              "versionType": "git"
            },
            {
              "lessThan": "32d872e3905746ff1048078256cb00f946b97d8a",
              "status": "affected",
              "version": "c7fc0366c65628fd69bfc310affec4918199aae2",
              "versionType": "git"
            },
            {
              "lessThan": "7e91ae31e2d264155dfd102101afc2de7bd74a64",
              "status": "affected",
              "version": "c7fc0366c65628fd69bfc310affec4918199aae2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.6.70",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.12.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: goto right label \u0027out_mmap_sem\u0027 in ext4_setattr()\n\nOtherwise, if ext4_inode_attach_jinode() fails, a hung task will\nhappen because filemap_invalidate_unlock() isn\u0027t called to unlock\nmapping-\u003einvalidate_lock. Like this:\n\nEXT4-fs error (device sda) in ext4_setattr:5557: Out of memory\nINFO: task fsstress:374 blocked for more than 122 seconds.\n      Not tainted 6.14.0-rc1-next-20250206-xfstests-dirty #726\n\"echo 0 \u003e /proc/sys/kernel/hung_task_timeout_secs\" disables this message.\ntask:fsstress state:D stack:0     pid:374   tgid:374   ppid:373\n                                  task_flags:0x440140 flags:0x00000000\nCall Trace:\n \u003cTASK\u003e\n __schedule+0x2c9/0x7f0\n schedule+0x27/0xa0\n schedule_preempt_disabled+0x15/0x30\n rwsem_down_read_slowpath+0x278/0x4c0\n down_read+0x59/0xb0\n page_cache_ra_unbounded+0x65/0x1b0\n filemap_get_pages+0x124/0x3e0\n filemap_read+0x114/0x3d0\n vfs_read+0x297/0x360\n ksys_read+0x6c/0xe0\n do_syscall_64+0x4b/0x110\n entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:54.234Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/551667f99bcf04fa58594d7d19aef73c861a1200"
        },
        {
          "url": "https://git.kernel.org/stable/c/45314999f950321a341033ae8f9ac12dce40669b"
        },
        {
          "url": "https://git.kernel.org/stable/c/32d872e3905746ff1048078256cb00f946b97d8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e91ae31e2d264155dfd102101afc2de7bd74a64"
        }
      ],
      "title": "ext4: goto right label \u0027out_mmap_sem\u0027 in ext4_setattr()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22120",
    "datePublished": "2025-04-16T14:13:05.289Z",
    "dateReserved": "2024-12-29T08:45:45.823Z",
    "dateUpdated": "2025-05-26T05:18:54.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22024 (GCVE-0-2025-22024)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-10-01 17:05

Title

nfsd: fix management of listener transports

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix management of listener transports Currently, when no active threads are running, a root user using nfsdctl command can try to remove a particular listener from the list of previously added ones, then start the server by increasing the number of threads, it leads to the following problem: [ 158.835354] refcount_t: addition on 0; use-after-free. [ 158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0 [ 158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse [ 158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G B W 6.13.0-rc6+ #7 [ 158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN [ 158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024 [ 158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--) [ 158.841563] pc : refcount_warn_saturate+0x160/0x1a0 [ 158.841780] lr : refcount_warn_saturate+0x160/0x1a0 [ 158.842000] sp : ffff800089be7d80 [ 158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148 [ 158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010 [ 158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028 [ 158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000 [ 158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493 [ 158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000 [ 158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001 [ 158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc [ 158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000 [ 158.845528] Call trace: [ 158.845658] refcount_warn_saturate+0x160/0x1a0 (P) [ 158.845894] svc_recv+0x58c/0x680 [sunrpc] [ 158.846183] nfsd+0x1fc/0x348 [nfsd] [ 158.846390] kthread+0x274/0x2f8 [ 158.846546] ret_from_fork+0x10/0x20 [ 158.846714] ---[ end trace 0000000000000000 ]--- nfsd_nl_listener_set_doit() would manipulate the list of transports of server's sv_permsocks and close the specified listener but the other list of transports (server's sp_xprts list) would not be changed leading to the problem above. Instead, determined if the nfsdctl is trying to remove a listener, in which case, delete all the existing listener transports and re-create all-but-the-removed ones.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a84c80515ca8a0cdf…
	https://git.kernel.org/stable/c/052a34f093fb940a1…
	https://git.kernel.org/stable/c/0f42df0ab2b11ea6b…
	https://git.kernel.org/stable/c/d093c90892607be50…

Impacted products

Vendor

Product

Version

Linux

Affected: 16a471177496c8e04a9793812c187a2c1a2192fa , < a84c80515ca8a0cdf6d06f1b6ca721224b08453e (git)
Affected: 16a471177496c8e04a9793812c187a2c1a2192fa , < 052a34f093fb940a145493d1438e7abbfe507cdd (git)
Affected: 16a471177496c8e04a9793812c187a2c1a2192fa , < 0f42df0ab2b11ea6b2884bdaf6dbc3be6dde7e82 (git)
Affected: 16a471177496c8e04a9793812c187a2c1a2192fa , < d093c90892607be505e801469d6674459e69ab89 (git)

Linux

Affected: 6.10
Unaffected: 0 , < 6.10 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22024",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:05:34.999915Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:05:37.618Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfsctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a84c80515ca8a0cdf6d06f1b6ca721224b08453e",
              "status": "affected",
              "version": "16a471177496c8e04a9793812c187a2c1a2192fa",
              "versionType": "git"
            },
            {
              "lessThan": "052a34f093fb940a145493d1438e7abbfe507cdd",
              "status": "affected",
              "version": "16a471177496c8e04a9793812c187a2c1a2192fa",
              "versionType": "git"
            },
            {
              "lessThan": "0f42df0ab2b11ea6b2884bdaf6dbc3be6dde7e82",
              "status": "affected",
              "version": "16a471177496c8e04a9793812c187a2c1a2192fa",
              "versionType": "git"
            },
            {
              "lessThan": "d093c90892607be505e801469d6674459e69ab89",
              "status": "affected",
              "version": "16a471177496c8e04a9793812c187a2c1a2192fa",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfsctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.10"
            },
            {
              "lessThan": "6.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix management of listener transports\n\nCurrently, when no active threads are running, a root user using nfsdctl\ncommand can try to remove a particular listener from the list of previously\nadded ones, then start the server by increasing the number of threads,\nit leads to the following problem:\n\n[  158.835354] refcount_t: addition on 0; use-after-free.\n[  158.835603] WARNING: CPU: 2 PID: 9145 at lib/refcount.c:25 refcount_warn_saturate+0x160/0x1a0\n[  158.836017] Modules linked in: rpcrdma rdma_cm iw_cm ib_cm ib_core nfsd auth_rpcgss nfs_acl lockd grace overlay isofs uinput snd_seq_dummy snd_hrtimer nft_fib_inet nft_fib_ipv4 nft_fib_ipv6 nft_fib nft_reject_inet nf_reject_ipv4 nf_reject_ipv6 nft_reject nft_ct nft_chain_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 rfkill ip_set nf_tables qrtr sunrpc vfat fat uvcvideo videobuf2_vmalloc videobuf2_memops uvc videobuf2_v4l2 videodev videobuf2_common snd_hda_codec_generic mc e1000e snd_hda_intel snd_intel_dspcfg snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm snd_timer snd soundcore sg loop dm_multipath dm_mod nfnetlink vsock_loopback vmw_vsock_virtio_transport_common vmw_vsock_vmci_transport vmw_vmci vsock xfs libcrc32c crct10dif_ce ghash_ce vmwgfx sha2_ce sha256_arm64 sr_mod sha1_ce cdrom nvme drm_client_lib drm_ttm_helper ttm nvme_core drm_kms_helper nvme_auth drm fuse\n[  158.840093] CPU: 2 UID: 0 PID: 9145 Comm: nfsd Kdump: loaded Tainted: G    B   W          6.13.0-rc6+ #7\n[  158.840624] Tainted: [B]=BAD_PAGE, [W]=WARN\n[  158.840802] Hardware name: VMware, Inc. VMware20,1/VBSA, BIOS VMW201.00V.24006586.BA64.2406042154 06/04/2024\n[  158.841220] pstate: 61400005 (nZCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)\n[  158.841563] pc : refcount_warn_saturate+0x160/0x1a0\n[  158.841780] lr : refcount_warn_saturate+0x160/0x1a0\n[  158.842000] sp : ffff800089be7d80\n[  158.842147] x29: ffff800089be7d80 x28: ffff00008e68c148 x27: ffff00008e68c148\n[  158.842492] x26: ffff0002e3b5c000 x25: ffff600011cd1829 x24: ffff00008653c010\n[  158.842832] x23: ffff00008653c000 x22: 1fffe00011cd1829 x21: ffff00008653c028\n[  158.843175] x20: 0000000000000002 x19: ffff00008653c010 x18: 0000000000000000\n[  158.843505] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n[  158.843836] x14: 0000000000000000 x13: 0000000000000001 x12: ffff600050a26493\n[  158.844143] x11: 1fffe00050a26492 x10: ffff600050a26492 x9 : dfff800000000000\n[  158.844475] x8 : 00009fffaf5d9b6e x7 : ffff000285132493 x6 : 0000000000000001\n[  158.844823] x5 : ffff000285132490 x4 : ffff600050a26493 x3 : ffff8000805e72bc\n[  158.845174] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff000098588000\n[  158.845528] Call trace:\n[  158.845658]  refcount_warn_saturate+0x160/0x1a0 (P)\n[  158.845894]  svc_recv+0x58c/0x680 [sunrpc]\n[  158.846183]  nfsd+0x1fc/0x348 [nfsd]\n[  158.846390]  kthread+0x274/0x2f8\n[  158.846546]  ret_from_fork+0x10/0x20\n[  158.846714] ---[ end trace 0000000000000000 ]---\n\nnfsd_nl_listener_set_doit() would manipulate the list of transports of\nserver\u0027s sv_permsocks and close the specified listener but the other\nlist of transports (server\u0027s sp_xprts list) would not be changed leading\nto the problem above.\n\nInstead, determined if the nfsdctl is trying to remove a listener, in\nwhich case, delete all the existing listener transports and re-create\nall-but-the-removed ones."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:16:50.917Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a84c80515ca8a0cdf6d06f1b6ca721224b08453e"
        },
        {
          "url": "https://git.kernel.org/stable/c/052a34f093fb940a145493d1438e7abbfe507cdd"
        },
        {
          "url": "https://git.kernel.org/stable/c/0f42df0ab2b11ea6b2884bdaf6dbc3be6dde7e82"
        },
        {
          "url": "https://git.kernel.org/stable/c/d093c90892607be505e801469d6674459e69ab89"
        }
      ],
      "title": "nfsd: fix management of listener transports",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22024",
    "datePublished": "2025-04-16T14:11:45.975Z",
    "dateReserved": "2024-12-29T08:45:45.807Z",
    "dateUpdated": "2025-10-01T17:05:37.618Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22105 (GCVE-0-2025-22105)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-12-06 21:38

Title

bonding: check xdp prog when set bond mode

Summary

In the Linux kernel, the following vulnerability has been resolved: bonding: check xdp prog when set bond mode Following operations can trigger a warning[1]: ip netns add ns1 ip netns exec ns1 ip link add bond0 type bond mode balance-rr ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp ip netns exec ns1 ip link set bond0 type bond mode broadcast ip netns del ns1 When delete the namespace, dev_xdp_uninstall() is called to remove xdp program on bond dev, and bond_xdp_set() will check the bond mode. If bond mode is changed after attaching xdp program, the warning may occur. Some bond modes (broadcast, etc.) do not support native xdp. Set bond mode with xdp program attached is not good. Add check for xdp program when set bond mode. [1] ------------[ cut here ]------------ WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930 Modules linked in: CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014 Workqueue: netns cleanup_net RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930 Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ... RSP: 0018:ffffc90000063d80 EFLAGS: 00000282 RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48 RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8 R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000 FS: 0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0 Call Trace: <TASK> ? __warn+0x83/0x130 ? unregister_netdevice_many_notify+0x8d9/0x930 ? report_bug+0x18e/0x1a0 ? handle_bug+0x54/0x90 ? exc_invalid_op+0x18/0x70 ? asm_exc_invalid_op+0x1a/0x20 ? unregister_netdevice_many_notify+0x8d9/0x930 ? bond_net_exit_batch_rtnl+0x5c/0x90 cleanup_net+0x237/0x3d0 process_one_work+0x163/0x390 worker_thread+0x293/0x3b0 ? __pfx_worker_thread+0x10/0x10 kthread+0xec/0x1e0 ? __pfx_kthread+0x10/0x10 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2f/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5106da73b01668a1a…
	https://git.kernel.org/stable/c/6f3af8055ee7ab69d…
	https://git.kernel.org/stable/c/0dd4fac43bdea23cf…
	https://git.kernel.org/stable/c/094ee6017ea09c11d…

Impacted products

Vendor

Product

Version

Linux

Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 5106da73b01668a1aa5d0f352b95d2b832b5caa7 (git)
Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 6f3af8055ee7ab69d1451f056fcd890df99c167e (git)
Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb (git)
Affected: 9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e , < 094ee6017ea09c11d6af187935a949df32803ce0 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.6.119 , ≤ 6.6.* (semver)
Unaffected: 6.12.57 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bonding/bond_main.c",
            "drivers/net/bonding/bond_options.c",
            "include/net/bonding.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5106da73b01668a1aa5d0f352b95d2b832b5caa7",
              "status": "affected",
              "version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
              "versionType": "git"
            },
            {
              "lessThan": "6f3af8055ee7ab69d1451f056fcd890df99c167e",
              "status": "affected",
              "version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
              "versionType": "git"
            },
            {
              "lessThan": "0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb",
              "status": "affected",
              "version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
              "versionType": "git"
            },
            {
              "lessThan": "094ee6017ea09c11d6af187935a949df32803ce0",
              "status": "affected",
              "version": "9e2ee5c7e7c35d195e2aa0692a7241d47a433d1e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/bonding/bond_main.c",
            "drivers/net/bonding/bond_options.c",
            "include/net/bonding.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.119",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.119",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.57",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbonding: check xdp prog when set bond mode\n\nFollowing operations can trigger a warning[1]:\n\n    ip netns add ns1\n    ip netns exec ns1 ip link add bond0 type bond mode balance-rr\n    ip netns exec ns1 ip link set dev bond0 xdp obj af_xdp_kern.o sec xdp\n    ip netns exec ns1 ip link set bond0 type bond mode broadcast\n    ip netns del ns1\n\nWhen delete the namespace, dev_xdp_uninstall() is called to remove xdp\nprogram on bond dev, and bond_xdp_set() will check the bond mode. If bond\nmode is changed after attaching xdp program, the warning may occur.\n\nSome bond modes (broadcast, etc.) do not support native xdp. Set bond mode\nwith xdp program attached is not good. Add check for xdp program when set\nbond mode.\n\n    [1]\n    ------------[ cut here ]------------\n    WARNING: CPU: 0 PID: 11 at net/core/dev.c:9912 unregister_netdevice_many_notify+0x8d9/0x930\n    Modules linked in:\n    CPU: 0 UID: 0 PID: 11 Comm: kworker/u4:0 Not tainted 6.14.0-rc4 #107\n    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b3f840-prebuilt.qemu.org 04/01/2014\n    Workqueue: netns cleanup_net\n    RIP: 0010:unregister_netdevice_many_notify+0x8d9/0x930\n    Code: 00 00 48 c7 c6 6f e3 a2 82 48 c7 c7 d0 b3 96 82 e8 9c 10 3e ...\n    RSP: 0018:ffffc90000063d80 EFLAGS: 00000282\n    RAX: 00000000ffffffa1 RBX: ffff888004959000 RCX: 00000000ffffdfff\n    RDX: 0000000000000000 RSI: 00000000ffffffea RDI: ffffc90000063b48\n    RBP: ffffc90000063e28 R08: ffffffff82d39b28 R09: 0000000000009ffb\n    R10: 0000000000000175 R11: ffffffff82d09b40 R12: ffff8880049598e8\n    R13: 0000000000000001 R14: dead000000000100 R15: ffffc90000045000\n    FS:  0000000000000000(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000\n    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n    CR2: 000000000d406b60 CR3: 000000000483e000 CR4: 00000000000006f0\n    Call Trace:\n     \u003cTASK\u003e\n     ? __warn+0x83/0x130\n     ? unregister_netdevice_many_notify+0x8d9/0x930\n     ? report_bug+0x18e/0x1a0\n     ? handle_bug+0x54/0x90\n     ? exc_invalid_op+0x18/0x70\n     ? asm_exc_invalid_op+0x1a/0x20\n     ? unregister_netdevice_many_notify+0x8d9/0x930\n     ? bond_net_exit_batch_rtnl+0x5c/0x90\n     cleanup_net+0x237/0x3d0\n     process_one_work+0x163/0x390\n     worker_thread+0x293/0x3b0\n     ? __pfx_worker_thread+0x10/0x10\n     kthread+0xec/0x1e0\n     ? __pfx_kthread+0x10/0x10\n     ? __pfx_kthread+0x10/0x10\n     ret_from_fork+0x2f/0x50\n     ? __pfx_kthread+0x10/0x10\n     ret_from_fork_asm+0x1a/0x30\n     \u003c/TASK\u003e\n    ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:18.474Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5106da73b01668a1aa5d0f352b95d2b832b5caa7"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f3af8055ee7ab69d1451f056fcd890df99c167e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0dd4fac43bdea23cfe4bb2a3eabb76d752ac32fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/094ee6017ea09c11d6af187935a949df32803ce0"
        }
      ],
      "title": "bonding: check xdp prog when set bond mode",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22105",
    "datePublished": "2025-04-16T14:12:53.830Z",
    "dateReserved": "2024-12-29T08:45:45.819Z",
    "dateUpdated": "2025-12-06T21:38:18.474Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37765 (GCVE-0-2025-37765)

Vulnerability from cvelistv5 – Published: 2025-05-01 13:07 – Updated: 2025-11-03 19:54

Title

drm/nouveau: prime: fix ttm_bo_delayed_delete oops

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/nouveau: prime: fix ttm_bo_delayed_delete oops Fix an oops in ttm_bo_delayed_delete which results from dererencing a dangling pointer: Oops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP CPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216 Hardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024 Workqueue: ttm ttm_bo_delayed_delete [ttm] RIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290 Code: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 <41> 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b RSP: 0018:ffffbf9383473d60 EFLAGS: 00010202 RAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b R13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc FS: 0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0 PKRU: 55555554 Call Trace: <TASK> ? __die_body.cold+0x19/0x26 ? die_addr+0x3d/0x70 ? exc_general_protection+0x159/0x460 ? asm_exc_general_protection+0x27/0x30 ? dma_resv_iter_first_unlocked+0x55/0x290 dma_resv_wait_timeout+0x56/0x100 ttm_bo_delayed_delete+0x69/0xb0 [ttm] process_one_work+0x217/0x5c0 worker_thread+0x1c8/0x3d0 ? apply_wqattrs_cleanup.part.0+0xc0/0xc0 kthread+0x10b/0x240 ? kthreads_online_cpu+0x140/0x140 ret_from_fork+0x40/0x70 ? kthreads_online_cpu+0x140/0x140 ret_from_fork_asm+0x11/0x20 </TASK> The cause of this is: - drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the reference to the shared dma_buf. The reference count is 0, so the dma_buf is destroyed, which in turn decrements the corresponding amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed - calling drm_gem_object_release then dma_resv_fini (which destroys the reservation object), then finally freeing the amdgpu_bo. - nouveau_bo obj->bo.base.resv is now a dangling pointer to the memory formerly allocated to the amdgpu_bo. - nouveau_gem_object_del calls ttm_bo_put(&nvbo->bo) which calls ttm_bo_release, which schedules ttm_bo_delayed_delete. - ttm_bo_delayed_delete runs and dereferences the dangling resv pointer, resulting in a general protection fault. Fix this by moving the drm_prime_gem_destroy call from nouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will be run after ttm_bo_delayed_delete.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/706868a1a1072cffd…
	https://git.kernel.org/stable/c/47761deabb69a5df0…
	https://git.kernel.org/stable/c/ada78110b2d3ec88b…
	https://git.kernel.org/stable/c/12b038d521c75e352…
	https://git.kernel.org/stable/c/31e94c7989572f969…
	https://git.kernel.org/stable/c/6e2c805996a49998d…
	https://git.kernel.org/stable/c/6b95947ee780f4e1f…
	https://git.kernel.org/stable/c/8ec0fbb28d049273b…

Impacted products

Vendor

Product

Version

Linux

Affected: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 , < 706868a1a1072cffd8bd63f7e161d79141099849 (git)
Affected: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 , < 47761deabb69a5df0c2c4ec400d80bb3e072bd2e (git)
Affected: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 , < ada78110b2d3ec88b398a49703bd336d4cee7a08 (git)
Affected: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 , < 12b038d521c75e3521522503becf3bc162628469 (git)
Affected: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 , < 31e94c7989572f96926673614a3b958915a13ca9 (git)
Affected: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 , < 6e2c805996a49998d31ac522beb1534ca417e761 (git)
Affected: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 , < 6b95947ee780f4e1fb26413a1437d05bcb99712b (git)
Affected: 22b33e8ed0e38b8ddcf082e35580f2e67a3a0262 , < 8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3 (git)

Linux

Affected: 3.5
Unaffected: 0 , < 3.5 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:35.995Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nouveau_bo.c",
            "drivers/gpu/drm/nouveau/nouveau_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "706868a1a1072cffd8bd63f7e161d79141099849",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "47761deabb69a5df0c2c4ec400d80bb3e072bd2e",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "ada78110b2d3ec88b398a49703bd336d4cee7a08",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "12b038d521c75e3521522503becf3bc162628469",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "31e94c7989572f96926673614a3b958915a13ca9",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "6e2c805996a49998d31ac522beb1534ca417e761",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "6b95947ee780f4e1fb26413a1437d05bcb99712b",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            },
            {
              "lessThan": "8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3",
              "status": "affected",
              "version": "22b33e8ed0e38b8ddcf082e35580f2e67a3a0262",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/nouveau/nouveau_bo.c",
            "drivers/gpu/drm/nouveau/nouveau_gem.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.5"
            },
            {
              "lessThan": "3.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/nouveau: prime: fix ttm_bo_delayed_delete oops\n\nFix an oops in ttm_bo_delayed_delete which results from dererencing a\ndangling pointer:\n\nOops: general protection fault, probably for non-canonical address 0x6b6b6b6b6b6b6b7b: 0000 [#1] PREEMPT SMP\nCPU: 4 UID: 0 PID: 1082 Comm: kworker/u65:2 Not tainted 6.14.0-rc4-00267-g505460b44513-dirty #216\nHardware name: LENOVO 82N6/LNVNB161216, BIOS GKCN65WW 01/16/2024\nWorkqueue: ttm ttm_bo_delayed_delete [ttm]\nRIP: 0010:dma_resv_iter_first_unlocked+0x55/0x290\nCode: 31 f6 48 c7 c7 00 2b fa aa e8 97 bd 52 ff e8 a2 c1 53 00 5a 85 c0 74 48 e9 88 01 00 00 4c 89 63 20 4d 85 e4 0f 84 30 01 00 00 \u003c41\u003e 8b 44 24 10 c6 43 2c 01 48 89 df 89 43 28 e8 97 fd ff ff 4c 8b\nRSP: 0018:ffffbf9383473d60 EFLAGS: 00010202\nRAX: 0000000000000001 RBX: ffffbf9383473d88 RCX: 0000000000000000\nRDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000\nRBP: ffffbf9383473d78 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000000 R12: 6b6b6b6b6b6b6b6b\nR13: ffffa003bbf78580 R14: ffffa003a6728040 R15: 00000000000383cc\nFS:  0000000000000000(0000) GS:ffffa00991c00000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 0000758348024dd0 CR3: 000000012c259000 CR4: 0000000000f50ef0\nPKRU: 55555554\nCall Trace:\n \u003cTASK\u003e\n ? __die_body.cold+0x19/0x26\n ? die_addr+0x3d/0x70\n ? exc_general_protection+0x159/0x460\n ? asm_exc_general_protection+0x27/0x30\n ? dma_resv_iter_first_unlocked+0x55/0x290\n dma_resv_wait_timeout+0x56/0x100\n ttm_bo_delayed_delete+0x69/0xb0 [ttm]\n process_one_work+0x217/0x5c0\n worker_thread+0x1c8/0x3d0\n ? apply_wqattrs_cleanup.part.0+0xc0/0xc0\n kthread+0x10b/0x240\n ? kthreads_online_cpu+0x140/0x140\n ret_from_fork+0x40/0x70\n ? kthreads_online_cpu+0x140/0x140\n ret_from_fork_asm+0x11/0x20\n \u003c/TASK\u003e\n\nThe cause of this is:\n\n- drm_prime_gem_destroy calls dma_buf_put(dma_buf) which releases the\n  reference to the shared dma_buf. The reference count is 0, so the\n  dma_buf is destroyed, which in turn decrements the corresponding\n  amdgpu_bo reference count to 0, and the amdgpu_bo is destroyed -\n  calling drm_gem_object_release then dma_resv_fini (which destroys the\n  reservation object), then finally freeing the amdgpu_bo.\n\n- nouveau_bo obj-\u003ebo.base.resv is now a dangling pointer to the memory\n  formerly allocated to the amdgpu_bo.\n\n- nouveau_gem_object_del calls ttm_bo_put(\u0026nvbo-\u003ebo) which calls\n  ttm_bo_release, which schedules ttm_bo_delayed_delete.\n\n- ttm_bo_delayed_delete runs and dereferences the dangling resv pointer,\n  resulting in a general protection fault.\n\nFix this by moving the drm_prime_gem_destroy call from\nnouveau_gem_object_del to nouveau_bo_del_ttm. This ensures that it will\nbe run after ttm_bo_delayed_delete."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:23.788Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/706868a1a1072cffd8bd63f7e161d79141099849"
        },
        {
          "url": "https://git.kernel.org/stable/c/47761deabb69a5df0c2c4ec400d80bb3e072bd2e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ada78110b2d3ec88b398a49703bd336d4cee7a08"
        },
        {
          "url": "https://git.kernel.org/stable/c/12b038d521c75e3521522503becf3bc162628469"
        },
        {
          "url": "https://git.kernel.org/stable/c/31e94c7989572f96926673614a3b958915a13ca9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e2c805996a49998d31ac522beb1534ca417e761"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b95947ee780f4e1fb26413a1437d05bcb99712b"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ec0fbb28d049273bfd4f1e7a5ae4c74884beed3"
        }
      ],
      "title": "drm/nouveau: prime: fix ttm_bo_delayed_delete oops",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37765",
    "datePublished": "2025-05-01T13:07:06.498Z",
    "dateReserved": "2025-04-16T04:51:23.939Z",
    "dateUpdated": "2025-11-03T19:54:35.995Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37881 (GCVE-0-2025-37881)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:45 – Updated: 2025-11-03 19:56

Title

usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev() The variable d->name, returned by devm_kasprintf(), could be NULL. A pointer check is added to prevent potential NULL pointer dereference. This is similar to the fix in commit 3027e7b15b02 ("ice: Fix some null pointer dereference issues in ice_ptp.c"). This issue is found by our static analysis tool

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a777ccfb9ba8d43f7…
	https://git.kernel.org/stable/c/c8d4faf452a627f9b…
	https://git.kernel.org/stable/c/d26a6093d52904cac…
	https://git.kernel.org/stable/c/36d68151712e52545…
	https://git.kernel.org/stable/c/cfa7984f69359761b…
	https://git.kernel.org/stable/c/052fb65335befeae8…
	https://git.kernel.org/stable/c/61006ca381b4d65d2…
	https://git.kernel.org/stable/c/8c75f3e6a433d9208…

Impacted products

Vendor

Product

Version

Linux

Affected: 7ecca2a4080cb6b1fa174adc588fce9e9014c43c , < a777ccfb9ba8d43f745e41b69ba39d4a506a081e (git)
Affected: 7ecca2a4080cb6b1fa174adc588fce9e9014c43c , < c8d4faf452a627f9b09c3a5c366133a19e5b7a28 (git)
Affected: 7ecca2a4080cb6b1fa174adc588fce9e9014c43c , < d26a6093d52904cacdbb75424c323c19b443a890 (git)
Affected: 7ecca2a4080cb6b1fa174adc588fce9e9014c43c , < 36d68151712e525450f0fbb3045e7110f0d9b610 (git)
Affected: 7ecca2a4080cb6b1fa174adc588fce9e9014c43c , < cfa7984f69359761b07a7831c1258c0fde1e0389 (git)
Affected: 7ecca2a4080cb6b1fa174adc588fce9e9014c43c , < 052fb65335befeae8500e88d69ea022266baaf6d (git)
Affected: 7ecca2a4080cb6b1fa174adc588fce9e9014c43c , < 61006ca381b4d65d2b8ca695ea8da1ce18d6dee3 (git)
Affected: 7ecca2a4080cb6b1fa174adc588fce9e9014c43c , < 8c75f3e6a433d92084ad4e78b029ae680865420f (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.136 , ≤ 6.1.* (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:53.885Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/udc/aspeed-vhub/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a777ccfb9ba8d43f745e41b69ba39d4a506a081e",
              "status": "affected",
              "version": "7ecca2a4080cb6b1fa174adc588fce9e9014c43c",
              "versionType": "git"
            },
            {
              "lessThan": "c8d4faf452a627f9b09c3a5c366133a19e5b7a28",
              "status": "affected",
              "version": "7ecca2a4080cb6b1fa174adc588fce9e9014c43c",
              "versionType": "git"
            },
            {
              "lessThan": "d26a6093d52904cacdbb75424c323c19b443a890",
              "status": "affected",
              "version": "7ecca2a4080cb6b1fa174adc588fce9e9014c43c",
              "versionType": "git"
            },
            {
              "lessThan": "36d68151712e525450f0fbb3045e7110f0d9b610",
              "status": "affected",
              "version": "7ecca2a4080cb6b1fa174adc588fce9e9014c43c",
              "versionType": "git"
            },
            {
              "lessThan": "cfa7984f69359761b07a7831c1258c0fde1e0389",
              "status": "affected",
              "version": "7ecca2a4080cb6b1fa174adc588fce9e9014c43c",
              "versionType": "git"
            },
            {
              "lessThan": "052fb65335befeae8500e88d69ea022266baaf6d",
              "status": "affected",
              "version": "7ecca2a4080cb6b1fa174adc588fce9e9014c43c",
              "versionType": "git"
            },
            {
              "lessThan": "61006ca381b4d65d2b8ca695ea8da1ce18d6dee3",
              "status": "affected",
              "version": "7ecca2a4080cb6b1fa174adc588fce9e9014c43c",
              "versionType": "git"
            },
            {
              "lessThan": "8c75f3e6a433d92084ad4e78b029ae680865420f",
              "status": "affected",
              "version": "7ecca2a4080cb6b1fa174adc588fce9e9014c43c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/gadget/udc/aspeed-vhub/dev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()\n\nThe variable d-\u003ename, returned by devm_kasprintf(), could be NULL.\nA pointer check is added to prevent potential NULL pointer dereference.\nThis is similar to the fix in commit 3027e7b15b02\n(\"ice: Fix some null pointer dereference issues in ice_ptp.c\").\n\nThis issue is found by our static analysis tool"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-19T12:56:49.235Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a777ccfb9ba8d43f745e41b69ba39d4a506a081e"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8d4faf452a627f9b09c3a5c366133a19e5b7a28"
        },
        {
          "url": "https://git.kernel.org/stable/c/d26a6093d52904cacdbb75424c323c19b443a890"
        },
        {
          "url": "https://git.kernel.org/stable/c/36d68151712e525450f0fbb3045e7110f0d9b610"
        },
        {
          "url": "https://git.kernel.org/stable/c/cfa7984f69359761b07a7831c1258c0fde1e0389"
        },
        {
          "url": "https://git.kernel.org/stable/c/052fb65335befeae8500e88d69ea022266baaf6d"
        },
        {
          "url": "https://git.kernel.org/stable/c/61006ca381b4d65d2b8ca695ea8da1ce18d6dee3"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c75f3e6a433d92084ad4e78b029ae680865420f"
        }
      ],
      "title": "usb: gadget: aspeed: Add NULL pointer check in ast_vhub_init_dev()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37881",
    "datePublished": "2025-05-09T06:45:45.205Z",
    "dateReserved": "2025-04-16T04:51:23.962Z",
    "dateUpdated": "2025-11-03T19:56:53.885Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21772 (GCVE-0-2025-21772)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2026-01-02 15:28

Title

partitions: mac: fix handling of bogus partition table

Summary

In the Linux kernel, the following vulnerability has been resolved: partitions: mac: fix handling of bogus partition table Fix several issues in partition probing: - The bailout for a bad partoffset must use put_dev_sector(), since the preceding read_part_sector() succeeded. - If the partition table claims a silly sector size like 0xfff bytes (which results in partition table entries straddling sector boundaries), bail out instead of accessing out-of-bounds memory. - We must not assume that the partition table contains proper NUL termination - use strnlen() and strncmp() instead of strlen() and strcmp().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a3e77da9f843e4ab9…
	https://git.kernel.org/stable/c/213ba5bd81b7e97ac…
	https://git.kernel.org/stable/c/40a35d14f3c0dc72b…
	https://git.kernel.org/stable/c/27a39d006f85e869b…
	https://git.kernel.org/stable/c/92527100be38ede92…
	https://git.kernel.org/stable/c/6578717ebca916781…
	https://git.kernel.org/stable/c/7fa9706722882f634…
	https://git.kernel.org/stable/c/80e648042e512d5a7…

Impacted products

Vendor

Product

Version

Linux

Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < a3e77da9f843e4ab93917d30c314f0283e28c124 (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 213ba5bd81b7e97ac6e6190b8f3bc6ba76123625 (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 40a35d14f3c0dc72b689061ec72fc9b193f37d1f (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 27a39d006f85e869be68c1d5d2ce05e5d6445bf5 (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 92527100be38ede924768f4277450dfe8a40e16b (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 6578717ebca91678131d2b1f4ba4258e60536e9f (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 7fa9706722882f634090bfc9af642bf9ed719e27 (git)
Affected: 02e2a5bfebe99edcf9d694575a75032d53fe1b73 , < 80e648042e512d5a767da251d44132553fe04ae0 (git)
Affected: 81a319c5c29913a23947f3d28513974682f3af03 (git)
Affected: 34a906cd9f6445d9510841667eff0d980279ebf3 (git)
Affected: 2a27f61bd411e564eb4651c18d225f6e9e1de534 (git)
Affected: 69aad7e01c8e883e9d2f8dc5523bd419bd02d2aa (git)
Affected: 7f4f03c4a1e9a4b9679feafe7625a780864a4e76 (git)

Linux

Affected: 4.4
Unaffected: 0 , < 4.4 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:37:27.124Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/partitions/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a3e77da9f843e4ab93917d30c314f0283e28c124",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "213ba5bd81b7e97ac6e6190b8f3bc6ba76123625",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "40a35d14f3c0dc72b689061ec72fc9b193f37d1f",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "27a39d006f85e869be68c1d5d2ce05e5d6445bf5",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "92527100be38ede924768f4277450dfe8a40e16b",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "6578717ebca91678131d2b1f4ba4258e60536e9f",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "7fa9706722882f634090bfc9af642bf9ed719e27",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "lessThan": "80e648042e512d5a767da251d44132553fe04ae0",
              "status": "affected",
              "version": "02e2a5bfebe99edcf9d694575a75032d53fe1b73",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "81a319c5c29913a23947f3d28513974682f3af03",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "34a906cd9f6445d9510841667eff0d980279ebf3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2a27f61bd411e564eb4651c18d225f6e9e1de534",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "69aad7e01c8e883e9d2f8dc5523bd419bd02d2aa",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7f4f03c4a1e9a4b9679feafe7625a780864a4e76",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/partitions/mac.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.4"
            },
            {
              "lessThan": "4.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.113",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.99",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.56",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.63",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npartitions: mac: fix handling of bogus partition table\n\nFix several issues in partition probing:\n\n - The bailout for a bad partoffset must use put_dev_sector(), since the\n   preceding read_part_sector() succeeded.\n - If the partition table claims a silly sector size like 0xfff bytes\n   (which results in partition table entries straddling sector boundaries),\n   bail out instead of accessing out-of-bounds memory.\n - We must not assume that the partition table contains proper NUL\n   termination - use strnlen() and strncmp() instead of strlen() and\n   strcmp()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:28:33.911Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a3e77da9f843e4ab93917d30c314f0283e28c124"
        },
        {
          "url": "https://git.kernel.org/stable/c/213ba5bd81b7e97ac6e6190b8f3bc6ba76123625"
        },
        {
          "url": "https://git.kernel.org/stable/c/40a35d14f3c0dc72b689061ec72fc9b193f37d1f"
        },
        {
          "url": "https://git.kernel.org/stable/c/27a39d006f85e869be68c1d5d2ce05e5d6445bf5"
        },
        {
          "url": "https://git.kernel.org/stable/c/92527100be38ede924768f4277450dfe8a40e16b"
        },
        {
          "url": "https://git.kernel.org/stable/c/6578717ebca91678131d2b1f4ba4258e60536e9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7fa9706722882f634090bfc9af642bf9ed719e27"
        },
        {
          "url": "https://git.kernel.org/stable/c/80e648042e512d5a767da251d44132553fe04ae0"
        }
      ],
      "title": "partitions: mac: fix handling of bogus partition table",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21772",
    "datePublished": "2025-02-27T02:18:19.528Z",
    "dateReserved": "2024-12-29T08:45:45.762Z",
    "dateUpdated": "2026-01-02T15:28:33.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22038 (GCVE-0-2025-22038)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-11-03 19:41

Title

ksmbd: validate zero num_subauth before sub_auth is accessed

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate zero num_subauth before sub_auth is accessed Access psid->sub_auth[psid->num_subauth - 1] without checking if num_subauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure num_subauth != 0 before sub_auth is accessed.

Severity ?

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H

CWE

CWE-125 - Out-of-bounds Read

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3ac65de111c686c95…
	https://git.kernel.org/stable/c/0e36a3e080d6d8bd7…
	https://git.kernel.org/stable/c/56de7778a48560278…
	https://git.kernel.org/stable/c/68c6c3142bfcdb049…
	https://git.kernel.org/stable/c/c8bfe1954a0b89e7b…
	https://git.kernel.org/stable/c/bf21e29d78cd2c237…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 3ac65de111c686c95316ade660f8ba7aea3cd3cc (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 0e36a3e080d6d8bd7a34e089345d043da4ac8283 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 56de7778a48560278c334077ace7b9ac4bfb2fd1 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 68c6c3142bfcdb049839d40a9a59ebe8ea865002 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < c8bfe1954a0b89e7b29b3a3e7f4c5e0ebd295e20 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < bf21e29d78cd2c2371023953d9c82dfef82ebb36 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.1,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22038",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T18:13:11.878668Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-125",
                "description": "CWE-125 Out-of-bounds Read",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T18:13:16.440Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:20.321Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smbacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3ac65de111c686c95316ade660f8ba7aea3cd3cc",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "0e36a3e080d6d8bd7a34e089345d043da4ac8283",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "56de7778a48560278c334077ace7b9ac4bfb2fd1",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "68c6c3142bfcdb049839d40a9a59ebe8ea865002",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "c8bfe1954a0b89e7b29b3a3e7f4c5e0ebd295e20",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "bf21e29d78cd2c2371023953d9c82dfef82ebb36",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smbacl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: validate zero num_subauth before sub_auth is accessed\n\nAccess psid-\u003esub_auth[psid-\u003enum_subauth - 1] without checking\nif num_subauth is non-zero leads to an out-of-bounds read.\nThis patch adds a validation step to ensure num_subauth != 0\nbefore sub_auth is accessed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:07.436Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3ac65de111c686c95316ade660f8ba7aea3cd3cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0e36a3e080d6d8bd7a34e089345d043da4ac8283"
        },
        {
          "url": "https://git.kernel.org/stable/c/56de7778a48560278c334077ace7b9ac4bfb2fd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/68c6c3142bfcdb049839d40a9a59ebe8ea865002"
        },
        {
          "url": "https://git.kernel.org/stable/c/c8bfe1954a0b89e7b29b3a3e7f4c5e0ebd295e20"
        },
        {
          "url": "https://git.kernel.org/stable/c/bf21e29d78cd2c2371023953d9c82dfef82ebb36"
        }
      ],
      "title": "ksmbd: validate zero num_subauth before sub_auth is accessed",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22038",
    "datePublished": "2025-04-16T14:11:56.316Z",
    "dateReserved": "2024-12-29T08:45:45.809Z",
    "dateUpdated": "2025-11-03T19:41:20.321Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37853 (GCVE-0-2025-37853)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:41 – Updated: 2025-09-16 08:02

Title

drm/amdkfd: debugfs hang_hws skip GPU with MES

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdkfd: debugfs hang_hws skip GPU with MES debugfs hang_hws is used by GPU reset test with HWS, for MES this crash the kernel with NULL pointer access because dqm->packet_mgr is not setup for MES path. Skip GPU with MES for now, MES hang_hws debugfs interface will be supported later.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a36f8d544522a19ef…
	https://git.kernel.org/stable/c/1a322b330dc0b775d…
	https://git.kernel.org/stable/c/f84c57906f0fd2185…
	https://git.kernel.org/stable/c/24b9e0e2e6147314c…
	https://git.kernel.org/stable/c/fe9d0061c413f8fb8…

Impacted products

Vendor

Product

Version

Linux

Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < a36f8d544522a19ef06ed9e84667d154dcb6be52 (git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 1a322b330dc0b775d1d7a84e55c752d9451bfe7d (git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < f84c57906f0fd2185e557d2552b20aa8430a4677 (git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < 24b9e0e2e6147314c22d821f0542c4dd9a320c40 (git)
Affected: 4a488a7ad71401169cecee75dc94bcce642e2c53 , < fe9d0061c413f8fb8c529b18b592b04170850ded (git)

Linux

Affected: 3.19
Unaffected: 0 , < 3.19 (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a36f8d544522a19ef06ed9e84667d154dcb6be52",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "1a322b330dc0b775d1d7a84e55c752d9451bfe7d",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "f84c57906f0fd2185e557d2552b20aa8430a4677",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "24b9e0e2e6147314c22d821f0542c4dd9a320c40",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            },
            {
              "lessThan": "fe9d0061c413f8fb8c529b18b592b04170850ded",
              "status": "affected",
              "version": "4a488a7ad71401169cecee75dc94bcce642e2c53",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdkfd/kfd_device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.19"
            },
            {
              "lessThan": "3.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdkfd: debugfs hang_hws skip GPU with MES\n\ndebugfs hang_hws is used by GPU reset test with HWS, for MES this crash\nthe kernel with NULL pointer access because dqm-\u003epacket_mgr is not setup\nfor MES path.\n\nSkip GPU with MES for now, MES hang_hws debugfs interface will be\nsupported later."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-16T08:02:59.747Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a36f8d544522a19ef06ed9e84667d154dcb6be52"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a322b330dc0b775d1d7a84e55c752d9451bfe7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f84c57906f0fd2185e557d2552b20aa8430a4677"
        },
        {
          "url": "https://git.kernel.org/stable/c/24b9e0e2e6147314c22d821f0542c4dd9a320c40"
        },
        {
          "url": "https://git.kernel.org/stable/c/fe9d0061c413f8fb8c529b18b592b04170850ded"
        }
      ],
      "title": "drm/amdkfd: debugfs hang_hws skip GPU with MES",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37853",
    "datePublished": "2025-05-09T06:41:59.713Z",
    "dateReserved": "2025-04-16T04:51:23.955Z",
    "dateUpdated": "2025-09-16T08:02:59.747Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37834 (GCVE-0-2025-37834)

Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2026-01-02 15:29

Title

mm/vmscan: don't try to reclaim hwpoison folio

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/vmscan: don't try to reclaim hwpoison folio Syzkaller reports a bug as follows: Injecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000 Memory failure: 0x18b00e: dirty swapcache page still referenced by 2 users Memory failure: 0x18b00e: recovery action for dirty swapcache page: Failed page: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e memcg:ffff0000dd6d9000 anon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff) raw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9 raw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000 page dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio)) ------------[ cut here ]------------ kernel BUG at mm/swap_state.c:184! Internal error: Oops - BUG: 00000000f2000800 [#1] SMP Modules linked in: CPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3 Hardware name: linux,dummy-virt (DT) pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : add_to_swap+0xbc/0x158 lr : add_to_swap+0xbc/0x158 sp : ffff800087f37340 x29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780 x26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0 x23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4 x20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000 x17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c x14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b x11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000 x8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001 x5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000 Call trace: add_to_swap+0xbc/0x158 shrink_folio_list+0x12ac/0x2648 shrink_inactive_list+0x318/0x948 shrink_lruvec+0x450/0x720 shrink_node_memcgs+0x280/0x4a8 shrink_node+0x128/0x978 balance_pgdat+0x4f0/0xb20 kswapd+0x228/0x438 kthread+0x214/0x230 ret_from_fork+0x10/0x20 I can reproduce this issue with the following steps: 1) When a dirty swapcache page is isolated by reclaim process and the page isn't locked, inject memory failure for the page. me_swapcache_dirty() clears uptodate flag and tries to delete from lru, but fails. Reclaim process will put the hwpoisoned page back to lru. 2) The process that maps the hwpoisoned page exits, the page is deleted the page will never be freed and will be in the lru forever. 3) If we trigger a reclaim again and tries to reclaim the page, add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is cleared. To fix it, skip the hwpoisoned page in shrink_folio_list(). Besides, the hwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap it in shrink_folio_list(), otherwise the folio will fail to be unmaped by hwpoison_user_mappings() since the folio isn't in lru list.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1c9798bf8145a92ab…
	https://git.kernel.org/stable/c/912e9f0300c3564b7…
	https://git.kernel.org/stable/c/1b0449544c6482179…

Impacted products

Vendor

Product

Version

Linux

Affected: 6a46079cf57a7f7758e8b926980a4f852f89b34d , < 1c9798bf8145a92abf45aa9d38a6406d9eb8bdf0 (git)
Affected: 6a46079cf57a7f7758e8b926980a4f852f89b34d , < 912e9f0300c3564b72a8808db406e313193a37ad (git)
Affected: 6a46079cf57a7f7758e8b926980a4f852f89b34d , < 1b0449544c6482179ac84530b61fc192a6527bfd (git)

Linux

Affected: 2.6.32
Unaffected: 0 , < 2.6.32 (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/vmscan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1c9798bf8145a92abf45aa9d38a6406d9eb8bdf0",
              "status": "affected",
              "version": "6a46079cf57a7f7758e8b926980a4f852f89b34d",
              "versionType": "git"
            },
            {
              "lessThan": "912e9f0300c3564b72a8808db406e313193a37ad",
              "status": "affected",
              "version": "6a46079cf57a7f7758e8b926980a4f852f89b34d",
              "versionType": "git"
            },
            {
              "lessThan": "1b0449544c6482179ac84530b61fc192a6527bfd",
              "status": "affected",
              "version": "6a46079cf57a7f7758e8b926980a4f852f89b34d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/vmscan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.32"
            },
            {
              "lessThan": "2.6.32",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.32",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vmscan: don\u0027t try to reclaim hwpoison folio\n\nSyzkaller reports a bug as follows:\n\nInjecting memory failure for pfn 0x18b00e at process virtual address 0x20ffd000\nMemory failure: 0x18b00e: dirty swapcache page still referenced by 2 users\nMemory failure: 0x18b00e: recovery action for dirty swapcache page: Failed\npage: refcount:2 mapcount:0 mapping:0000000000000000 index:0x20ffd pfn:0x18b00e\nmemcg:ffff0000dd6d9000\nanon flags: 0x5ffffe00482011(locked|dirty|arch_1|swapbacked|hwpoison|node=0|zone=2|lastcpupid=0xfffff)\nraw: 005ffffe00482011 dead000000000100 dead000000000122 ffff0000e232a7c9\nraw: 0000000000020ffd 0000000000000000 00000002ffffffff ffff0000dd6d9000\npage dumped because: VM_BUG_ON_FOLIO(!folio_test_uptodate(folio))\n------------[ cut here ]------------\nkernel BUG at mm/swap_state.c:184!\nInternal error: Oops - BUG: 00000000f2000800 [#1] SMP\nModules linked in:\nCPU: 0 PID: 60 Comm: kswapd0 Not tainted 6.6.0-gcb097e7de84e #3\nHardware name: linux,dummy-virt (DT)\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : add_to_swap+0xbc/0x158\nlr : add_to_swap+0xbc/0x158\nsp : ffff800087f37340\nx29: ffff800087f37340 x28: fffffc00052c0380 x27: ffff800087f37780\nx26: ffff800087f37490 x25: ffff800087f37c78 x24: ffff800087f377a0\nx23: ffff800087f37c50 x22: 0000000000000000 x21: fffffc00052c03b4\nx20: 0000000000000000 x19: fffffc00052c0380 x18: 0000000000000000\nx17: 296f696c6f662865 x16: 7461646f7470755f x15: 747365745f6f696c\nx14: 6f6621284f494c4f x13: 0000000000000001 x12: ffff600036d8b97b\nx11: 1fffe00036d8b97a x10: ffff600036d8b97a x9 : dfff800000000000\nx8 : 00009fffc9274686 x7 : ffff0001b6c5cbd3 x6 : 0000000000000001\nx5 : ffff0000c25896c0 x4 : 0000000000000000 x3 : 0000000000000000\nx2 : 0000000000000000 x1 : ffff0000c25896c0 x0 : 0000000000000000\nCall trace:\n add_to_swap+0xbc/0x158\n shrink_folio_list+0x12ac/0x2648\n shrink_inactive_list+0x318/0x948\n shrink_lruvec+0x450/0x720\n shrink_node_memcgs+0x280/0x4a8\n shrink_node+0x128/0x978\n balance_pgdat+0x4f0/0xb20\n kswapd+0x228/0x438\n kthread+0x214/0x230\n ret_from_fork+0x10/0x20\n\nI can reproduce this issue with the following steps:\n\n1) When a dirty swapcache page is isolated by reclaim process and the\n   page isn\u0027t locked, inject memory failure for the page. \n   me_swapcache_dirty() clears uptodate flag and tries to delete from lru,\n   but fails.  Reclaim process will put the hwpoisoned page back to lru.\n\n2) The process that maps the hwpoisoned page exits, the page is deleted\n   the page will never be freed and will be in the lru forever.\n\n3) If we trigger a reclaim again and tries to reclaim the page,\n   add_to_swap() will trigger VM_BUG_ON_FOLIO due to the uptodate flag is\n   cleared.\n\nTo fix it, skip the hwpoisoned page in shrink_folio_list().  Besides, the\nhwpoison folio may not be unmapped by hwpoison_user_mappings() yet, unmap\nit in shrink_folio_list(), otherwise the folio will fail to be unmaped by\nhwpoison_user_mappings() since the folio isn\u0027t in lru list."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:10.825Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1c9798bf8145a92abf45aa9d38a6406d9eb8bdf0"
        },
        {
          "url": "https://git.kernel.org/stable/c/912e9f0300c3564b72a8808db406e313193a37ad"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b0449544c6482179ac84530b61fc192a6527bfd"
        }
      ],
      "title": "mm/vmscan: don\u0027t try to reclaim hwpoison folio",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37834",
    "datePublished": "2025-05-08T06:26:24.463Z",
    "dateReserved": "2025-04-16T04:51:23.951Z",
    "dateUpdated": "2026-01-02T15:29:10.825Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57979 (GCVE-0-2024-57979)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:32

Title

pps: Fix a use-after-free

Summary

In the Linux kernel, the following vulnerability has been resolved: pps: Fix a use-after-free On a board running ntpd and gpsd, I'm seeing a consistent use-after-free in sys_exit() from gpsd when rebooting: pps pps1: removed ------------[ cut here ]------------ kobject: '(null)' (00000000db4bec24): is not initialized, yet kobject_put() is being called. WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150 CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1 Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT) pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : kobject_put+0x120/0x150 lr : kobject_put+0x120/0x150 sp : ffffffc0803d3ae0 x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001 x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440 x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600 x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20 x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000 Call trace: kobject_put+0x120/0x150 cdev_put+0x20/0x3c __fput+0x2c4/0x2d8 ____fput+0x1c/0x38 task_work_run+0x70/0xfc do_exit+0x2a0/0x924 do_group_exit+0x34/0x90 get_signal+0x7fc/0x8c0 do_signal+0x128/0x13b4 do_notify_resume+0xdc/0x160 el0_svc+0xd4/0xf8 el0t_64_sync_handler+0x140/0x14c el0t_64_sync+0x190/0x194 ---[ end trace 0000000000000000 ]--- ...followed by more symptoms of corruption, with similar stacks: refcount_t: underflow; use-after-free. kernel BUG at lib/list_debug.c:62! Kernel panic - not syncing: Oops - BUG: Fatal exception This happens because pps_device_destruct() frees the pps_device with the embedded cdev immediately after calling cdev_del(), but, as the comment above cdev_del() notes, fops for previously opened cdevs are still callable even after cdev_del() returns. I think this bug has always been there: I can't explain why it suddenly started happening every time I reboot this particular board. In commit d953e0e837e6 ("pps: Fix a use-after free bug when unregistering a source."), George Spelvin suggested removing the embedded cdev. That seems like the simplest way to fix this, so I've implemented his suggestion, using __register_chrdev() with pps_idr becoming the source of truth for which minor corresponds to which device. But now that pps_idr defines userspace visibility instead of cdev_add(), we need to be sure the pps->dev refcount can't reach zero while userspace can still find it again. So, the idr_remove() call moves to pps_unregister_cdev(), and pps_idr now holds a reference to pps->dev. pps_core: source serial1 got cdev (251:1) <...> pps pps1: removed pps_core: unregistering pps1 pps_core: deallocating pps1

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/785c78ed0d39d1717…
	https://git.kernel.org/stable/c/1a7735ab2cb974751…
	https://git.kernel.org/stable/c/c4041b6b0a7a3def8…
	https://git.kernel.org/stable/c/91932db1d96b29522…
	https://git.kernel.org/stable/c/cd3bbcb6b3a7caa5c…
	https://git.kernel.org/stable/c/7e5ee3281dc090143…
	https://git.kernel.org/stable/c/85241f7de216f8298…
	https://git.kernel.org/stable/c/c79a39dc8d060b9e6…

Impacted products

Vendor

Product

Version

Linux

Affected: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 , < 785c78ed0d39d1717cca3ef931d3e51337b5e90e (git)
Affected: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 , < 1a7735ab2cb9747518a7416fb5929e85442dec62 (git)
Affected: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 , < c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7 (git)
Affected: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 , < 91932db1d96b2952299ce30c1c693d834d10ace6 (git)
Affected: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 , < cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64 (git)
Affected: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 , < 7e5ee3281dc09014367f5112b6d566ba36ea2d49 (git)
Affected: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 , < 85241f7de216f8298f6e48540ea13d7dcd100870 (git)
Affected: d953e0e837e65ecc1ddaa4f9560f7925878a0de6 , < c79a39dc8d060b9e64e8b0fa9d245d44befeefbe (git)
Affected: 77327a71f9841b7dfa708195d1cb133d4ef4a989 (git)
Affected: cd59fb14918a6b20c1ac8be121fa6397b97b00cb (git)
Affected: 49626fbb0360332e40fd76a48cb2ba876d6134ad (git)

Linux

Affected: 3.9
Unaffected: 0 , < 3.9 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57979",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:45.747533Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:30.363Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:32:56.266Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pps/clients/pps-gpio.c",
            "drivers/pps/clients/pps-ktimer.c",
            "drivers/pps/clients/pps-ldisc.c",
            "drivers/pps/clients/pps_parport.c",
            "drivers/pps/kapi.c",
            "drivers/pps/kc.c",
            "drivers/pps/pps.c",
            "drivers/ptp/ptp_ocp.c",
            "include/linux/pps_kernel.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "785c78ed0d39d1717cca3ef931d3e51337b5e90e",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "1a7735ab2cb9747518a7416fb5929e85442dec62",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "91932db1d96b2952299ce30c1c693d834d10ace6",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "7e5ee3281dc09014367f5112b6d566ba36ea2d49",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "85241f7de216f8298f6e48540ea13d7dcd100870",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "lessThan": "c79a39dc8d060b9e64e8b0fa9d245d44befeefbe",
              "status": "affected",
              "version": "d953e0e837e65ecc1ddaa4f9560f7925878a0de6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "77327a71f9841b7dfa708195d1cb133d4ef4a989",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "cd59fb14918a6b20c1ac8be121fa6397b97b00cb",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "49626fbb0360332e40fd76a48cb2ba876d6134ad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pps/clients/pps-gpio.c",
            "drivers/pps/clients/pps-ktimer.c",
            "drivers/pps/clients/pps-ldisc.c",
            "drivers/pps/clients/pps_parport.c",
            "drivers/pps/kapi.c",
            "drivers/pps/kc.c",
            "drivers/pps/pps.c",
            "drivers/ptp/ptp_ocp.c",
            "include/linux/pps_kernel.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.9"
            },
            {
              "lessThan": "3.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.40",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.87",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.8.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npps: Fix a use-after-free\n\nOn a board running ntpd and gpsd, I\u0027m seeing a consistent use-after-free\nin sys_exit() from gpsd when rebooting:\n\n    pps pps1: removed\n    ------------[ cut here ]------------\n    kobject: \u0027(null)\u0027 (00000000db4bec24): is not initialized, yet kobject_put() is being called.\n    WARNING: CPU: 2 PID: 440 at lib/kobject.c:734 kobject_put+0x120/0x150\n    CPU: 2 UID: 299 PID: 440 Comm: gpsd Not tainted 6.11.0-rc6-00308-gb31c44928842 #1\n    Hardware name: Raspberry Pi 4 Model B Rev 1.1 (DT)\n    pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n    pc : kobject_put+0x120/0x150\n    lr : kobject_put+0x120/0x150\n    sp : ffffffc0803d3ae0\n    x29: ffffffc0803d3ae0 x28: ffffff8042dc9738 x27: 0000000000000001\n    x26: 0000000000000000 x25: ffffff8042dc9040 x24: ffffff8042dc9440\n    x23: ffffff80402a4620 x22: ffffff8042ef4bd0 x21: ffffff80405cb600\n    x20: 000000000008001b x19: ffffff8040b3b6e0 x18: 0000000000000000\n    x17: 0000000000000000 x16: 0000000000000000 x15: 696e6920746f6e20\n    x14: 7369203a29343263 x13: 205d303434542020 x12: 0000000000000000\n    x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000\n    x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n    x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000000\n    x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000000\n    Call trace:\n     kobject_put+0x120/0x150\n     cdev_put+0x20/0x3c\n     __fput+0x2c4/0x2d8\n     ____fput+0x1c/0x38\n     task_work_run+0x70/0xfc\n     do_exit+0x2a0/0x924\n     do_group_exit+0x34/0x90\n     get_signal+0x7fc/0x8c0\n     do_signal+0x128/0x13b4\n     do_notify_resume+0xdc/0x160\n     el0_svc+0xd4/0xf8\n     el0t_64_sync_handler+0x140/0x14c\n     el0t_64_sync+0x190/0x194\n    ---[ end trace 0000000000000000 ]---\n\n...followed by more symptoms of corruption, with similar stacks:\n\n    refcount_t: underflow; use-after-free.\n    kernel BUG at lib/list_debug.c:62!\n    Kernel panic - not syncing: Oops - BUG: Fatal exception\n\nThis happens because pps_device_destruct() frees the pps_device with the\nembedded cdev immediately after calling cdev_del(), but, as the comment\nabove cdev_del() notes, fops for previously opened cdevs are still\ncallable even after cdev_del() returns. I think this bug has always\nbeen there: I can\u0027t explain why it suddenly started happening every time\nI reboot this particular board.\n\nIn commit d953e0e837e6 (\"pps: Fix a use-after free bug when\nunregistering a source.\"), George Spelvin suggested removing the\nembedded cdev. That seems like the simplest way to fix this, so I\u0027ve\nimplemented his suggestion, using __register_chrdev() with pps_idr\nbecoming the source of truth for which minor corresponds to which\ndevice.\n\nBut now that pps_idr defines userspace visibility instead of cdev_add(),\nwe need to be sure the pps-\u003edev refcount can\u0027t reach zero while\nuserspace can still find it again. So, the idr_remove() call moves to\npps_unregister_cdev(), and pps_idr now holds a reference to pps-\u003edev.\n\n    pps_core: source serial1 got cdev (251:1)\n    \u003c...\u003e\n    pps pps1: removed\n    pps_core: unregistering pps1\n    pps_core: deallocating pps1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:47.796Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/785c78ed0d39d1717cca3ef931d3e51337b5e90e"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a7735ab2cb9747518a7416fb5929e85442dec62"
        },
        {
          "url": "https://git.kernel.org/stable/c/c4041b6b0a7a3def8cf3f3d6120ff337bc4c40f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/91932db1d96b2952299ce30c1c693d834d10ace6"
        },
        {
          "url": "https://git.kernel.org/stable/c/cd3bbcb6b3a7caa5ce67de76723b6d8531fb7f64"
        },
        {
          "url": "https://git.kernel.org/stable/c/7e5ee3281dc09014367f5112b6d566ba36ea2d49"
        },
        {
          "url": "https://git.kernel.org/stable/c/85241f7de216f8298f6e48540ea13d7dcd100870"
        },
        {
          "url": "https://git.kernel.org/stable/c/c79a39dc8d060b9e64e8b0fa9d245d44befeefbe"
        }
      ],
      "title": "pps: Fix a use-after-free",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57979",
    "datePublished": "2025-02-27T02:07:06.168Z",
    "dateReserved": "2025-02-27T02:04:28.912Z",
    "dateUpdated": "2025-11-03T19:32:56.266Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37825 (GCVE-0-2025-37825)

Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2025-05-26 05:21

Title

nvmet: fix out-of-bounds access in nvmet_enable_port

Summary

In the Linux kernel, the following vulnerability has been resolved: nvmet: fix out-of-bounds access in nvmet_enable_port When trying to enable a port that has no transport configured yet, nvmet_enable_port() uses NVMF_TRTYPE_MAX (255) to query the transports array, causing an out-of-bounds access: [ 106.058694] BUG: KASAN: global-out-of-bounds in nvmet_enable_port+0x42/0x1da [ 106.058719] Read of size 8 at addr ffffffff89dafa58 by task ln/632 [...] [ 106.076026] nvmet: transport type 255 not supported Since commit 200adac75888, NVMF_TRTYPE_MAX is the default state as configured by nvmet_ports_make(). Avoid this by checking for NVMF_TRTYPE_MAX before proceeding.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/83c00860a37b3fcba…
	https://git.kernel.org/stable/c/3d7aa0c7b4e96cd46…

Impacted products

Vendor

Product

Version

Linux

Affected: 200adac75888182c09027e9b7852507dabd87034 , < 83c00860a37b3fcba8026cb344101f1b8af547cf (git)
Affected: 200adac75888182c09027e9b7852507dabd87034 , < 3d7aa0c7b4e96cd460826d932e44710cdeb3378b (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "83c00860a37b3fcba8026cb344101f1b8af547cf",
              "status": "affected",
              "version": "200adac75888182c09027e9b7852507dabd87034",
              "versionType": "git"
            },
            {
              "lessThan": "3d7aa0c7b4e96cd460826d932e44710cdeb3378b",
              "status": "affected",
              "version": "200adac75888182c09027e9b7852507dabd87034",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/nvme/target/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnvmet: fix out-of-bounds access in nvmet_enable_port\n\nWhen trying to enable a port that has no transport configured yet,\nnvmet_enable_port() uses NVMF_TRTYPE_MAX (255) to query the transports\narray, causing an out-of-bounds access:\n\n[  106.058694] BUG: KASAN: global-out-of-bounds in nvmet_enable_port+0x42/0x1da\n[  106.058719] Read of size 8 at addr ffffffff89dafa58 by task ln/632\n[...]\n[  106.076026] nvmet: transport type 255 not supported\n\nSince commit 200adac75888, NVMF_TRTYPE_MAX is the default state as configured by\nnvmet_ports_make().\nAvoid this by checking for NVMF_TRTYPE_MAX before proceeding."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:41.660Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/83c00860a37b3fcba8026cb344101f1b8af547cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d7aa0c7b4e96cd460826d932e44710cdeb3378b"
        }
      ],
      "title": "nvmet: fix out-of-bounds access in nvmet_enable_port",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37825",
    "datePublished": "2025-05-08T06:26:18.094Z",
    "dateReserved": "2025-04-16T04:51:23.950Z",
    "dateUpdated": "2025-05-26T05:21:41.660Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-49909 (GCVE-0-2022-49909)

Vulnerability from cvelistv5 – Published: 2025-05-01 14:10 – Updated: 2025-12-02 15:42

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2025-12-02T15:42:00.731Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49909",
    "datePublished": "2025-05-01T14:10:52.331Z",
    "dateRejected": "2025-12-02T15:42:00.731Z",
    "dateReserved": "2025-05-01T14:05:17.247Z",
    "dateUpdated": "2025-12-02T15:42:00.731Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21951 (GCVE-0-2025-21951)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock

Summary

In the Linux kernel, the following vulnerability has been resolved: bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock There are multiple places from where the recovery work gets scheduled asynchronously. Also, there are multiple places where the caller waits synchronously for the recovery to be completed. One such place is during the PM shutdown() callback. If the device is not alive during recovery_work, it will try to reset the device using pci_reset_function(). This function internally will take the device_lock() first before resetting the device. By this time, if the lock has already been acquired, then recovery_work will get stalled while waiting for the lock. And if the lock was already acquired by the caller which waits for the recovery_work to be completed, it will lead to deadlock. This is what happened on the X1E80100 CRD device when the device died before shutdown() callback. Driver core calls the driver's shutdown() callback while holding the device_lock() leading to deadlock. And this deadlock scenario can occur on other paths as well, like during the PM suspend() callback, where the driver core would hold the device_lock() before calling driver's suspend() callback. And if the recovery_work was already started, it could lead to deadlock. This is also observed on the X1E80100 CRD. So to fix both issues, use pci_try_reset_function() in recovery_work. This function first checks for the availability of the device_lock() before trying to reset the device. If the lock is available, it will acquire it and reset the device. Otherwise, it will return -EAGAIN. If that happens, recovery_work will fail with the error message "Recovery failed" as not much could be done.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7746f3bb8917fccb4…
	https://git.kernel.org/stable/c/7a5ffadd54fe2662f…
	https://git.kernel.org/stable/c/1f9eb7078bc6b5fb5…
	https://git.kernel.org/stable/c/985d3cf56d8745ca6…
	https://git.kernel.org/stable/c/62505657475c245c9…
	https://git.kernel.org/stable/c/a321d163de3d8aa38…

Impacted products

Vendor

Product

Version

Linux

Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 7746f3bb8917fccb4571a576f3837d80fc513054 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 7a5ffadd54fe2662f5c99cdccf30144d060376f7 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 985d3cf56d8745ca637deee273929e01df449f85 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < 62505657475c245c9cd46e42ac01026d1e61f027 (git)
Affected: 7389337f0a78ea099c47f0af08f64f20c52ab4ba , < a321d163de3d8aa38a6449ab2becf4b1581aed96 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21951",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:16:49.794913Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:16:52.646Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:52.892Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/host/pci_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7746f3bb8917fccb4571a576f3837d80fc513054",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "7a5ffadd54fe2662f5c99cdccf30144d060376f7",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "985d3cf56d8745ca637deee273929e01df449f85",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "62505657475c245c9cd46e42ac01026d1e61f027",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            },
            {
              "lessThan": "a321d163de3d8aa38a6449ab2becf4b1581aed96",
              "status": "affected",
              "version": "7389337f0a78ea099c47f0af08f64f20c52ab4ba",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/bus/mhi/host/pci_generic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock\n\nThere are multiple places from where the recovery work gets scheduled\nasynchronously. Also, there are multiple places where the caller waits\nsynchronously for the recovery to be completed. One such place is during\nthe PM shutdown() callback.\n\nIf the device is not alive during recovery_work, it will try to reset the\ndevice using pci_reset_function(). This function internally will take the\ndevice_lock() first before resetting the device. By this time, if the lock\nhas already been acquired, then recovery_work will get stalled while\nwaiting for the lock. And if the lock was already acquired by the caller\nwhich waits for the recovery_work to be completed, it will lead to\ndeadlock.\n\nThis is what happened on the X1E80100 CRD device when the device died\nbefore shutdown() callback. Driver core calls the driver\u0027s shutdown()\ncallback while holding the device_lock() leading to deadlock.\n\nAnd this deadlock scenario can occur on other paths as well, like during\nthe PM suspend() callback, where the driver core would hold the\ndevice_lock() before calling driver\u0027s suspend() callback. And if the\nrecovery_work was already started, it could lead to deadlock. This is also\nobserved on the X1E80100 CRD.\n\nSo to fix both issues, use pci_try_reset_function() in recovery_work. This\nfunction first checks for the availability of the device_lock() before\ntrying to reset the device. If the lock is available, it will acquire it\nand reset the device. Otherwise, it will return -EAGAIN. If that happens,\nrecovery_work will fail with the error message \"Recovery failed\" as not\nmuch could be done."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:37.191Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7746f3bb8917fccb4571a576f3837d80fc513054"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a5ffadd54fe2662f5c99cdccf30144d060376f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1f9eb7078bc6b5fb5cbfbcb37c4bc01685332b95"
        },
        {
          "url": "https://git.kernel.org/stable/c/985d3cf56d8745ca637deee273929e01df449f85"
        },
        {
          "url": "https://git.kernel.org/stable/c/62505657475c245c9cd46e42ac01026d1e61f027"
        },
        {
          "url": "https://git.kernel.org/stable/c/a321d163de3d8aa38a6449ab2becf4b1581aed96"
        }
      ],
      "title": "bus: mhi: host: pci_generic: Use pci_try_reset_function() to avoid deadlock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21951",
    "datePublished": "2025-04-01T15:41:11.487Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-11-03T19:39:52.892Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21928 (GCVE-0-2025-21928)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove() The system can experience a random crash a few minutes after the driver is removed. This issue occurs due to improper handling of memory freeing in the ishtp_hid_remove() function. The function currently frees the `driver_data` directly within the loop that destroys the HID devices, which can lead to accessing freed memory. Specifically, `hid_destroy_device()` uses `driver_data` when it calls `hid_ishtp_set_feature()` to power off the sensor, so freeing `driver_data` beforehand can result in accessing invalid memory. This patch resolves the issue by storing the `driver_data` in a temporary variable before calling `hid_destroy_device()`, and then freeing the `driver_data` after the device is destroyed.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0c1fb475ef999d6c2…
	https://git.kernel.org/stable/c/d3faae7f42181865c…
	https://git.kernel.org/stable/c/01b18a330cda61cc2…
	https://git.kernel.org/stable/c/cf1a6015d2f6b1f0a…
	https://git.kernel.org/stable/c/560f4d1299342504a…
	https://git.kernel.org/stable/c/dea6a349bcaf243ff…
	https://git.kernel.org/stable/c/eb0695d87a81e7c1f…
	https://git.kernel.org/stable/c/07583a0010696a17f…

Impacted products

Vendor

Product

Version

Linux

Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < 0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d (git)
Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < d3faae7f42181865c799d88c5054176f38ae4625 (git)
Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < 01b18a330cda61cc21423a7d1af92cf31ded8f60 (git)
Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394 (git)
Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < 560f4d1299342504a6ab8a47f575b5e6b8345ada (git)
Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < dea6a349bcaf243fff95dfd0428a26be6a0fb44e (git)
Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9 (git)
Affected: 0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6 , < 07583a0010696a17fb0942e0b499a62785c5fc9f (git)

Linux

Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21928",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T13:15:05.405186Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T13:19:52.863Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:26.507Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-ish-hid/ishtp-hid.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d",
              "status": "affected",
              "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
              "versionType": "git"
            },
            {
              "lessThan": "d3faae7f42181865c799d88c5054176f38ae4625",
              "status": "affected",
              "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
              "versionType": "git"
            },
            {
              "lessThan": "01b18a330cda61cc21423a7d1af92cf31ded8f60",
              "status": "affected",
              "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
              "versionType": "git"
            },
            {
              "lessThan": "cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394",
              "status": "affected",
              "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
              "versionType": "git"
            },
            {
              "lessThan": "560f4d1299342504a6ab8a47f575b5e6b8345ada",
              "status": "affected",
              "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
              "versionType": "git"
            },
            {
              "lessThan": "dea6a349bcaf243fff95dfd0428a26be6a0fb44e",
              "status": "affected",
              "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
              "versionType": "git"
            },
            {
              "lessThan": "eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9",
              "status": "affected",
              "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
              "versionType": "git"
            },
            {
              "lessThan": "07583a0010696a17fb0942e0b499a62785c5fc9f",
              "status": "affected",
              "version": "0b28cb4bcb17dcb5fe0763fc3e1a94398b8f6cf6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-ish-hid/ishtp-hid.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()\n\nThe system can experience a random crash a few minutes after the driver is\nremoved. This issue occurs due to improper handling of memory freeing in\nthe ishtp_hid_remove() function.\n\nThe function currently frees the `driver_data` directly within the loop\nthat destroys the HID devices, which can lead to accessing freed memory.\nSpecifically, `hid_destroy_device()` uses `driver_data` when it calls\n`hid_ishtp_set_feature()` to power off the sensor, so freeing\n`driver_data` beforehand can result in accessing invalid memory.\n\nThis patch resolves the issue by storing the `driver_data` in a temporary\nvariable before calling `hid_destroy_device()`, and then freeing the\n`driver_data` after the device is destroyed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:45.899Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c1fb475ef999d6c22fc3f963fdf20cb3ed1b03d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3faae7f42181865c799d88c5054176f38ae4625"
        },
        {
          "url": "https://git.kernel.org/stable/c/01b18a330cda61cc21423a7d1af92cf31ded8f60"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf1a6015d2f6b1f0afaa0fd6a0124ff2c7943394"
        },
        {
          "url": "https://git.kernel.org/stable/c/560f4d1299342504a6ab8a47f575b5e6b8345ada"
        },
        {
          "url": "https://git.kernel.org/stable/c/dea6a349bcaf243fff95dfd0428a26be6a0fb44e"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb0695d87a81e7c1f0509b7d8ee7c65fbc26aec9"
        },
        {
          "url": "https://git.kernel.org/stable/c/07583a0010696a17fb0942e0b499a62785c5fc9f"
        }
      ],
      "title": "HID: intel-ish-hid: Fix use-after-free issue in ishtp_hid_remove()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21928",
    "datePublished": "2025-04-01T15:40:59.033Z",
    "dateReserved": "2024-12-29T08:45:45.788Z",
    "dateUpdated": "2025-11-03T19:39:26.507Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21898 (GCVE-0-2025-21898)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:26 – Updated: 2025-11-03 19:38

Title

ftrace: Avoid potential division by zero in function_stat_show()

Summary

In the Linux kernel, the following vulnerability has been resolved: ftrace: Avoid potential division by zero in function_stat_show() Check whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64} produce zero and skip stddev computation in that case. For now don't care about rec->counter * rec->counter overflow because rec->time * rec->time overflow will likely happen earlier.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-369 - Divide By Zero

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5b3d32f607f0478b4…
	https://git.kernel.org/stable/c/ca381f60a3bb7cfaa…
	https://git.kernel.org/stable/c/3d738b53ed6cddb68…
	https://git.kernel.org/stable/c/992775227843c9376…
	https://git.kernel.org/stable/c/f58a3f8e284d0bdf9…
	https://git.kernel.org/stable/c/746cc474a95473591…
	https://git.kernel.org/stable/c/9cdac46fa7e854e58…
	https://git.kernel.org/stable/c/a1a7eb89ca0b89dc1…

Impacted products

Vendor

Product

Version

Linux

Affected: f0629ee3922f10112584b1898491fecc74d98b3b , < 5b3d32f607f0478b414b16516cf27f9170cf66c8 (git)
Affected: e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d , < ca381f60a3bb7cfaa618d73ca411610bd7fc3149 (git)
Affected: e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d , < 3d738b53ed6cddb68e68c9874520a4bf846163b5 (git)
Affected: e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d , < 992775227843c9376773784b8b362add44592ad7 (git)
Affected: e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d , < f58a3f8e284d0bdf94164a8e61cd4e70d337a1a3 (git)
Affected: e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d , < 746cc474a95473591853927b3a9792a2d671155b (git)
Affected: e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d , < 9cdac46fa7e854e587eb5f393fe491b6d7a9bdf6 (git)
Affected: e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d , < a1a7eb89ca0b89dc1c326eeee2596f263291aca3 (git)
Affected: c59e74104cfd7df3ca0b5f59f1baee9c8c28b9ef (git)
Affected: 015f0fd0fcc338513f80044add27fa46cf71d217 (git)
Affected: 1a2985af2a20b816a5cc41a2ddc1c4109ef6b9c6 (git)
Affected: 7650b4b1df091815bbbbb837d308dd4154684f8a (git)
Affected: 010a7e846d4beaf34384c40ff18d5de10106d9b4 (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21898",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:18:13.401520Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-369",
                "description": "CWE-369 Divide By Zero",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:18:15.822Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:44.454Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5b3d32f607f0478b414b16516cf27f9170cf66c8",
              "status": "affected",
              "version": "f0629ee3922f10112584b1898491fecc74d98b3b",
              "versionType": "git"
            },
            {
              "lessThan": "ca381f60a3bb7cfaa618d73ca411610bd7fc3149",
              "status": "affected",
              "version": "e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d",
              "versionType": "git"
            },
            {
              "lessThan": "3d738b53ed6cddb68e68c9874520a4bf846163b5",
              "status": "affected",
              "version": "e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d",
              "versionType": "git"
            },
            {
              "lessThan": "992775227843c9376773784b8b362add44592ad7",
              "status": "affected",
              "version": "e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d",
              "versionType": "git"
            },
            {
              "lessThan": "f58a3f8e284d0bdf94164a8e61cd4e70d337a1a3",
              "status": "affected",
              "version": "e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d",
              "versionType": "git"
            },
            {
              "lessThan": "746cc474a95473591853927b3a9792a2d671155b",
              "status": "affected",
              "version": "e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d",
              "versionType": "git"
            },
            {
              "lessThan": "9cdac46fa7e854e587eb5f393fe491b6d7a9bdf6",
              "status": "affected",
              "version": "e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d",
              "versionType": "git"
            },
            {
              "lessThan": "a1a7eb89ca0b89dc1c326eeee2596f263291aca3",
              "status": "affected",
              "version": "e31f7939c1c27faa5d0e3f14519eaf7c89e8a69d",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c59e74104cfd7df3ca0b5f59f1baee9c8c28b9ef",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "015f0fd0fcc338513f80044add27fa46cf71d217",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1a2985af2a20b816a5cc41a2ddc1c4109ef6b9c6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7650b4b1df091815bbbbb837d308dd4154684f8a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "010a7e846d4beaf34384c40ff18d5de10106d9b4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/trace/ftrace.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.16.83",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.209",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.209",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.163",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.94",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nftrace: Avoid potential division by zero in function_stat_show()\n\nCheck whether denominator expression x * (x - 1) * 1000 mod {2^32, 2^64}\nproduce zero and skip stddev computation in that case.\n\nFor now don\u0027t care about rec-\u003ecounter * rec-\u003ecounter overflow because\nrec-\u003etime * rec-\u003etime overflow will likely happen earlier."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:42.735Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5b3d32f607f0478b414b16516cf27f9170cf66c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca381f60a3bb7cfaa618d73ca411610bd7fc3149"
        },
        {
          "url": "https://git.kernel.org/stable/c/3d738b53ed6cddb68e68c9874520a4bf846163b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/992775227843c9376773784b8b362add44592ad7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f58a3f8e284d0bdf94164a8e61cd4e70d337a1a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/746cc474a95473591853927b3a9792a2d671155b"
        },
        {
          "url": "https://git.kernel.org/stable/c/9cdac46fa7e854e587eb5f393fe491b6d7a9bdf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1a7eb89ca0b89dc1c326eeee2596f263291aca3"
        }
      ],
      "title": "ftrace: Avoid potential division by zero in function_stat_show()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21898",
    "datePublished": "2025-04-01T15:26:50.211Z",
    "dateReserved": "2024-12-29T08:45:45.783Z",
    "dateUpdated": "2025-11-03T19:38:44.454Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21935 (GCVE-0-2025-21935)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

rapidio: add check for rio_add_net() in rio_scan_alloc_net()

Summary

In the Linux kernel, the following vulnerability has been resolved: rapidio: add check for rio_add_net() in rio_scan_alloc_net() The return value of rio_add_net() should be checked. If it fails, put_device() should be called to free the memory and give up the reference initialized in rio_add_net().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6d22953c4a183d0b7…
	https://git.kernel.org/stable/c/4f3509cfcc02e9d75…
	https://git.kernel.org/stable/c/181d4daaefb3bceeb…
	https://git.kernel.org/stable/c/ad82be4298a89a9ae…
	https://git.kernel.org/stable/c/e6411c3b9512dba09…
	https://git.kernel.org/stable/c/c332f3e2df0fcae5a…
	https://git.kernel.org/stable/c/a0d069ccc475abaaa…
	https://git.kernel.org/stable/c/e842f9a1edf306bf3…

Impacted products

Vendor

Product

Version

Linux

Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < 6d22953c4a183d0b7fdf34d68c5debd16da6edc5 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < 4f3509cfcc02e9d757f2714bb7dbbeec35de6fa7 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < 181d4daaefb3bceeb2f2635ba9f3781eeda9e550 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < ad82be4298a89a9ae46f07128bdf3d8614bce745 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < e6411c3b9512dba09af7d014d474516828c89706 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < c332f3e2df0fcae5a45fd55cc18902fb1e4825ca (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < a0d069ccc475abaaa79c6368ee27fc0b5912bea8 (git)
Affected: e6b585ca6e81badeb3d42db3cc408174f2826034 , < e842f9a1edf306bf36fe2a4d847a0b0d458770de (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:33.438Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/rapidio/rio-scan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6d22953c4a183d0b7fdf34d68c5debd16da6edc5",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "4f3509cfcc02e9d757f2714bb7dbbeec35de6fa7",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "181d4daaefb3bceeb2f2635ba9f3781eeda9e550",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "ad82be4298a89a9ae46f07128bdf3d8614bce745",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "e6411c3b9512dba09af7d014d474516828c89706",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "c332f3e2df0fcae5a45fd55cc18902fb1e4825ca",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "a0d069ccc475abaaa79c6368ee27fc0b5912bea8",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            },
            {
              "lessThan": "e842f9a1edf306bf36fe2a4d847a0b0d458770de",
              "status": "affected",
              "version": "e6b585ca6e81badeb3d42db3cc408174f2826034",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/rapidio/rio-scan.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: add check for rio_add_net() in rio_scan_alloc_net()\n\nThe return value of rio_add_net() should be checked.  If it fails,\nput_device() should be called to free the memory and give up the reference\ninitialized in rio_add_net()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:00.311Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6d22953c4a183d0b7fdf34d68c5debd16da6edc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4f3509cfcc02e9d757f2714bb7dbbeec35de6fa7"
        },
        {
          "url": "https://git.kernel.org/stable/c/181d4daaefb3bceeb2f2635ba9f3781eeda9e550"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad82be4298a89a9ae46f07128bdf3d8614bce745"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6411c3b9512dba09af7d014d474516828c89706"
        },
        {
          "url": "https://git.kernel.org/stable/c/c332f3e2df0fcae5a45fd55cc18902fb1e4825ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0d069ccc475abaaa79c6368ee27fc0b5912bea8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e842f9a1edf306bf36fe2a4d847a0b0d458770de"
        }
      ],
      "title": "rapidio: add check for rio_add_net() in rio_scan_alloc_net()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21935",
    "datePublished": "2025-04-01T15:41:03.335Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-11-03T19:39:33.438Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21982 (GCVE-0-2025-21982)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-10-01 17:14

Title

pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw

Summary

In the Linux kernel, the following vulnerability has been resolved: pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw devm_kasprintf() calls can return null pointers on failure. But the return values were not checked in npcm8xx_gpio_fw(). Add NULL check in npcm8xx_gpio_fw(), to handle kernel NULL pointer dereference error.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a585f6ea42ec259a9…
	https://git.kernel.org/stable/c/6a08a86e5aff8e653…
	https://git.kernel.org/stable/c/acf40ab42799e4ae1…

Impacted products

Vendor

Product

Version

Linux

Affected: acf4884a571709cad99f98aabe08b7cacd62dc80 , < a585f6ea42ec259a9a57e3e2580fa527c92187d0 (git)
Affected: acf4884a571709cad99f98aabe08b7cacd62dc80 , < 6a08a86e5aff8e65368ccd463348fdda26100821 (git)
Affected: acf4884a571709cad99f98aabe08b7cacd62dc80 , < acf40ab42799e4ae1397ee6f5c5941092d66f999 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21982",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:14:32.790247Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:14:35.609Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a585f6ea42ec259a9a57e3e2580fa527c92187d0",
              "status": "affected",
              "version": "acf4884a571709cad99f98aabe08b7cacd62dc80",
              "versionType": "git"
            },
            {
              "lessThan": "6a08a86e5aff8e65368ccd463348fdda26100821",
              "status": "affected",
              "version": "acf4884a571709cad99f98aabe08b7cacd62dc80",
              "versionType": "git"
            },
            {
              "lessThan": "acf40ab42799e4ae1397ee6f5c5941092d66f999",
              "status": "affected",
              "version": "acf4884a571709cad99f98aabe08b7cacd62dc80",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/pinctrl/nuvoton/pinctrl-npcm8xx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw\n\ndevm_kasprintf() calls can return null pointers on failure.\nBut the return values were not checked in npcm8xx_gpio_fw().\nAdd NULL check in npcm8xx_gpio_fw(), to handle kernel NULL\npointer dereference error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:33.389Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a585f6ea42ec259a9a57e3e2580fa527c92187d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/6a08a86e5aff8e65368ccd463348fdda26100821"
        },
        {
          "url": "https://git.kernel.org/stable/c/acf40ab42799e4ae1397ee6f5c5941092d66f999"
        }
      ],
      "title": "pinctrl: nuvoton: npcm8xx: Add NULL check in npcm8xx_gpio_fw",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21982",
    "datePublished": "2025-04-01T15:47:10.274Z",
    "dateReserved": "2024-12-29T08:45:45.799Z",
    "dateUpdated": "2025-10-01T17:14:35.609Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-26982 (GCVE-0-2024-26982)

Vulnerability from cvelistv5 – Published: 2024-05-01 05:27 – Updated: 2026-01-05 10:35

Title

Squashfs: check the inode number is not the invalid value of zero

Summary

In the Linux kernel, the following vulnerability has been resolved: Squashfs: check the inode number is not the invalid value of zero Syskiller has produced an out of bounds access in fill_meta_index(). That out of bounds access is ultimately caused because the inode has an inode number with the invalid value of zero, which was not checked. The reason this causes the out of bounds access is due to following sequence of events: 1. Fill_meta_index() is called to allocate (via empty_meta_index()) and fill a metadata index. It however suffers a data read error and aborts, invalidating the newly returned empty metadata index. It does this by setting the inode number of the index to zero, which means unused (zero is not a valid inode number). 2. When fill_meta_index() is subsequently called again on another read operation, locate_meta_index() returns the previous index because it matches the inode number of 0. Because this index has been returned it is expected to have been filled, and because it hasn't been, an out of bounds access is performed. This patch adds a sanity check which checks that the inode number is not zero when the inode is created and returns -EINVAL if it is. [phillip@squashfs.org.uk: whitespace fix]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/32c114a58236fe671…
	https://git.kernel.org/stable/c/4a1b6f89825e267e1…
	https://git.kernel.org/stable/c/cf46f88b92cfc0e32…
	https://git.kernel.org/stable/c/5b99dea79650b5090…
	https://git.kernel.org/stable/c/be383effaee3d8903…
	https://git.kernel.org/stable/c/7def00ebc9f2d6a58…
	https://git.kernel.org/stable/c/9253c54e01b6505d3…

Impacted products

Vendor

Product

Version

Linux

Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 32c114a58236fe67141634774559f21f1dc96fd7 (git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 4a1b6f89825e267e156ccaeba3d235edcac77f94 (git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < cf46f88b92cfc0e32bd8a21ba1273cff13b8745f (git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 5b99dea79650b50909c50aba24fbae00f203f013 (git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < be383effaee3d89034f0828038f95065b518772e (git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 7def00ebc9f2d6a581ddf46ce4541f84a10680e5 (git)
Affected: 6545b246a2c815a8fcd07d58240effb6ec3481b1 , < 9253c54e01b6505d348afbc02abaa4d9f8a01395 (git)

Linux

Affected: 2.6.29
Unaffected: 0 , < 2.6.29 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.30 , ≤ 6.6.* (semver)
Unaffected: 6.8.8 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-04T17:15:00.359Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DAMSOZXJEPUOXW33WZYWCVAY7Z5S7OOY/"
          },
          {
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4EZ6PJW7VOZ224TD7N4JZNU6KV32ZJ53/"
          },
          {
            "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GCBZZEC7L7KTWWAS2NLJK6SO3IZIL4WW/"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-26982",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:45:06.926436Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:42.999Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/squashfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "32c114a58236fe67141634774559f21f1dc96fd7",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "4a1b6f89825e267e156ccaeba3d235edcac77f94",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "cf46f88b92cfc0e32bd8a21ba1273cff13b8745f",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "5b99dea79650b50909c50aba24fbae00f203f013",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "be383effaee3d89034f0828038f95065b518772e",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "7def00ebc9f2d6a581ddf46ce4541f84a10680e5",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            },
            {
              "lessThan": "9253c54e01b6505d348afbc02abaa4d9f8a01395",
              "status": "affected",
              "version": "6545b246a2c815a8fcd07d58240effb6ec3481b1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/squashfs/inode.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.29"
            },
            {
              "lessThan": "2.6.29",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.30",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.30",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.8",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "2.6.29",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nSquashfs: check the inode number is not the invalid value of zero\n\nSyskiller has produced an out of bounds access in fill_meta_index().\n\nThat out of bounds access is ultimately caused because the inode\nhas an inode number with the invalid value of zero, which was not checked.\n\nThe reason this causes the out of bounds access is due to following\nsequence of events:\n\n1. Fill_meta_index() is called to allocate (via empty_meta_index())\n   and fill a metadata index.  It however suffers a data read error\n   and aborts, invalidating the newly returned empty metadata index.\n   It does this by setting the inode number of the index to zero,\n   which means unused (zero is not a valid inode number).\n\n2. When fill_meta_index() is subsequently called again on another\n   read operation, locate_meta_index() returns the previous index\n   because it matches the inode number of 0.  Because this index\n   has been returned it is expected to have been filled, and because\n   it hasn\u0027t been, an out of bounds access is performed.\n\nThis patch adds a sanity check which checks that the inode number\nis not zero when the inode is created and returns -EINVAL if it is.\n\n[phillip@squashfs.org.uk: whitespace fix]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:35:08.988Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/32c114a58236fe67141634774559f21f1dc96fd7"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a1b6f89825e267e156ccaeba3d235edcac77f94"
        },
        {
          "url": "https://git.kernel.org/stable/c/cf46f88b92cfc0e32bd8a21ba1273cff13b8745f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b99dea79650b50909c50aba24fbae00f203f013"
        },
        {
          "url": "https://git.kernel.org/stable/c/be383effaee3d89034f0828038f95065b518772e"
        },
        {
          "url": "https://git.kernel.org/stable/c/7def00ebc9f2d6a581ddf46ce4541f84a10680e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/9253c54e01b6505d348afbc02abaa4d9f8a01395"
        }
      ],
      "title": "Squashfs: check the inode number is not the invalid value of zero",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-26982",
    "datePublished": "2024-05-01T05:27:11.032Z",
    "dateReserved": "2024-02-19T14:20:24.204Z",
    "dateUpdated": "2026-01-05T10:35:08.988Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37773 (GCVE-0-2025-37773)

Vulnerability from cvelistv5 – Published: 2025-05-01 13:07 – Updated: 2025-11-03 19:54

Title

virtiofs: add filesystem context source name check

Summary

In the Linux kernel, the following vulnerability has been resolved: virtiofs: add filesystem context source name check In certain scenarios, for example, during fuzz testing, the source name may be NULL, which could lead to a kernel panic. Therefore, an extra check for the source name should be added.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b84f13fdad10a543e…
	https://git.kernel.org/stable/c/9d6dcf18a1b499902…
	https://git.kernel.org/stable/c/5ee09cdaf3414f6c9…
	https://git.kernel.org/stable/c/599d1e2a6aecc44ac…
	https://git.kernel.org/stable/c/f6ec52710dc5e156b…
	https://git.kernel.org/stable/c/c3e31d613951c2994…
	https://git.kernel.org/stable/c/a648d80f8d9b208be…
	https://git.kernel.org/stable/c/a94fd938df2b1628d…

Impacted products

Vendor

Product

Version

Linux

Affected: a62a8ef9d97da23762a588592c8b8eb50a8deb6a , < b84f13fdad10a543e2e65bab7e81b3f0bceabd67 (git)
Affected: a62a8ef9d97da23762a588592c8b8eb50a8deb6a , < 9d6dcf18a1b49990295ac8a05fd9bdfd27ccbf88 (git)
Affected: a62a8ef9d97da23762a588592c8b8eb50a8deb6a , < 5ee09cdaf3414f6c92960714af46d3d90eede2f3 (git)
Affected: a62a8ef9d97da23762a588592c8b8eb50a8deb6a , < 599d1e2a6aecc44acf22fe7ea6f5e84a7e526abe (git)
Affected: a62a8ef9d97da23762a588592c8b8eb50a8deb6a , < f6ec52710dc5e156b774cbef5d0f5c99b1c53a80 (git)
Affected: a62a8ef9d97da23762a588592c8b8eb50a8deb6a , < c3e31d613951c299487844c4d1686a933e8ee291 (git)
Affected: a62a8ef9d97da23762a588592c8b8eb50a8deb6a , < a648d80f8d9b208beee03a2d9aa690cfacf1d41e (git)
Affected: a62a8ef9d97da23762a588592c8b8eb50a8deb6a , < a94fd938df2b1628da66b498aa0eeb89593bc7a2 (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:52.701Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/fuse/virtio_fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b84f13fdad10a543e2e65bab7e81b3f0bceabd67",
              "status": "affected",
              "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a",
              "versionType": "git"
            },
            {
              "lessThan": "9d6dcf18a1b49990295ac8a05fd9bdfd27ccbf88",
              "status": "affected",
              "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a",
              "versionType": "git"
            },
            {
              "lessThan": "5ee09cdaf3414f6c92960714af46d3d90eede2f3",
              "status": "affected",
              "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a",
              "versionType": "git"
            },
            {
              "lessThan": "599d1e2a6aecc44acf22fe7ea6f5e84a7e526abe",
              "status": "affected",
              "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a",
              "versionType": "git"
            },
            {
              "lessThan": "f6ec52710dc5e156b774cbef5d0f5c99b1c53a80",
              "status": "affected",
              "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a",
              "versionType": "git"
            },
            {
              "lessThan": "c3e31d613951c299487844c4d1686a933e8ee291",
              "status": "affected",
              "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a",
              "versionType": "git"
            },
            {
              "lessThan": "a648d80f8d9b208beee03a2d9aa690cfacf1d41e",
              "status": "affected",
              "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a",
              "versionType": "git"
            },
            {
              "lessThan": "a94fd938df2b1628da66b498aa0eeb89593bc7a2",
              "status": "affected",
              "version": "a62a8ef9d97da23762a588592c8b8eb50a8deb6a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/fuse/virtio_fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvirtiofs: add filesystem context source name check\n\nIn certain scenarios, for example, during fuzz testing, the source\nname may be NULL, which could lead to a kernel panic. Therefore, an\nextra check for the source name should be added."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:34.795Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b84f13fdad10a543e2e65bab7e81b3f0bceabd67"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d6dcf18a1b49990295ac8a05fd9bdfd27ccbf88"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ee09cdaf3414f6c92960714af46d3d90eede2f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/599d1e2a6aecc44acf22fe7ea6f5e84a7e526abe"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6ec52710dc5e156b774cbef5d0f5c99b1c53a80"
        },
        {
          "url": "https://git.kernel.org/stable/c/c3e31d613951c299487844c4d1686a933e8ee291"
        },
        {
          "url": "https://git.kernel.org/stable/c/a648d80f8d9b208beee03a2d9aa690cfacf1d41e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a94fd938df2b1628da66b498aa0eeb89593bc7a2"
        }
      ],
      "title": "virtiofs: add filesystem context source name check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37773",
    "datePublished": "2025-05-01T13:07:12.944Z",
    "dateReserved": "2025-04-16T04:51:23.939Z",
    "dateUpdated": "2025-11-03T19:54:52.701Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-58083 (GCVE-0-2024-58083)

Vulnerability from cvelistv5 – Published: 2025-03-06 16:13 – Updated: 2025-11-03 19:34

Title

KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: Explicitly verify target vCPU is online in kvm_get_vcpu() Explicitly verify the target vCPU is fully online _prior_ to clamping the index in kvm_get_vcpu(). If the index is "bad", the nospec clamping will generate '0', i.e. KVM will return vCPU0 instead of NULL. In practice, the bug is unlikely to cause problems, as it will only come into play if userspace or the guest is buggy or misbehaving, e.g. KVM may send interrupts to vCPU0 instead of dropping them on the floor. However, returning vCPU0 when it shouldn't exist per online_vcpus is problematic now that KVM uses an xarray for the vCPUs array, as KVM needs to insert into the xarray before publishing the vCPU to userspace (see commit c5b077549136 ("KVM: Convert the kvm->vcpus array to a xarray")), i.e. before vCPU creation is guaranteed to succeed. As a result, incorrectly providing access to vCPU0 will trigger a use-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu() bails out of vCPU creation due to an error and frees vCPU0. Commit afb2acb2e3a3 ("KVM: Fix vcpu_array[0] races") papered over that issue, but in doing so introduced an unsolvable teardown conundrum. Preventing accesses to vCPU0 before it's fully online will allow reverting commit afb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5cce2ed69b00e022b…
	https://git.kernel.org/stable/c/09d50ccf0b2d739db…
	https://git.kernel.org/stable/c/7c4899239d0f70f88…
	https://git.kernel.org/stable/c/d817e510662fd1c97…
	https://git.kernel.org/stable/c/125da53b3c0c9d7f5…
	https://git.kernel.org/stable/c/f2f805ada63b536bc…
	https://git.kernel.org/stable/c/ca8da90ed1432ff3d…
	https://git.kernel.org/stable/c/1e7381f3617d14b3c…

Impacted products

Vendor

Product

Version

Linux

Affected: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c , < 5cce2ed69b00e022b5cdf0c49c82986abd2941a8 (git)
Affected: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c , < 09d50ccf0b2d739db4a485b08afe7520a4402a63 (git)
Affected: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c , < 7c4899239d0f70f88ac42665b3da51678d122480 (git)
Affected: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c , < d817e510662fd1c9797952408d94806f97a5fffd (git)
Affected: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c , < 125da53b3c0c9d7f58353aea0076e9efd6498ba7 (git)
Affected: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c , < f2f805ada63b536bc192458a7098388286568ad4 (git)
Affected: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c , < ca8da90ed1432ff3d000de4f1e2275d4e7d21b96 (git)
Affected: 1d487e9bf8ba66a7174c56a0029c54b1eca8f99c , < 1e7381f3617d14b3c11da80ff5f8a93ab14cfc46 (git)
Affected: 559e2696d2f47a3575e9550f101a7e59e30b1b38 (git)
Affected: d39f3cc71382165bb7efb8e06a2bd32f847de4ae (git)
Affected: 7cee966029037a183d98cb88251ceb92a233fe63 (git)

Linux

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-58083",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T17:00:02.623750Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T17:08:23.092Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:34:17.500Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/linux/kvm_host.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5cce2ed69b00e022b5cdf0c49c82986abd2941a8",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "09d50ccf0b2d739db4a485b08afe7520a4402a63",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "7c4899239d0f70f88ac42665b3da51678d122480",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "d817e510662fd1c9797952408d94806f97a5fffd",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "125da53b3c0c9d7f58353aea0076e9efd6498ba7",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "f2f805ada63b536bc192458a7098388286568ad4",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "ca8da90ed1432ff3d000de4f1e2275d4e7d21b96",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "lessThan": "1e7381f3617d14b3c11da80ff5f8a93ab14cfc46",
              "status": "affected",
              "version": "1d487e9bf8ba66a7174c56a0029c54b1eca8f99c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "559e2696d2f47a3575e9550f101a7e59e30b1b38",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d39f3cc71382165bb7efb8e06a2bd32f847de4ae",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7cee966029037a183d98cb88251ceb92a233fe63",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/linux/kvm_host.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.120",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.44",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.0.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: Explicitly verify target vCPU is online in kvm_get_vcpu()\n\nExplicitly verify the target vCPU is fully online _prior_ to clamping the\nindex in kvm_get_vcpu().  If the index is \"bad\", the nospec clamping will\ngenerate \u00270\u0027, i.e. KVM will return vCPU0 instead of NULL.\n\nIn practice, the bug is unlikely to cause problems, as it will only come\ninto play if userspace or the guest is buggy or misbehaving, e.g. KVM may\nsend interrupts to vCPU0 instead of dropping them on the floor.\n\nHowever, returning vCPU0 when it shouldn\u0027t exist per online_vcpus is\nproblematic now that KVM uses an xarray for the vCPUs array, as KVM needs\nto insert into the xarray before publishing the vCPU to userspace (see\ncommit c5b077549136 (\"KVM: Convert the kvm-\u003evcpus array to a xarray\")),\ni.e. before vCPU creation is guaranteed to succeed.\n\nAs a result, incorrectly providing access to vCPU0 will trigger a\nuse-after-free if vCPU0 is dereferenced and kvm_vm_ioctl_create_vcpu()\nbails out of vCPU creation due to an error and frees vCPU0.  Commit\nafb2acb2e3a3 (\"KVM: Fix vcpu_array[0] races\") papered over that issue, but\nin doing so introduced an unsolvable teardown conundrum.  Preventing\naccesses to vCPU0 before it\u0027s fully online will allow reverting commit\nafb2acb2e3a3, without re-introducing the vcpu_array[0] UAF race."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:53.162Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5cce2ed69b00e022b5cdf0c49c82986abd2941a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/09d50ccf0b2d739db4a485b08afe7520a4402a63"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c4899239d0f70f88ac42665b3da51678d122480"
        },
        {
          "url": "https://git.kernel.org/stable/c/d817e510662fd1c9797952408d94806f97a5fffd"
        },
        {
          "url": "https://git.kernel.org/stable/c/125da53b3c0c9d7f58353aea0076e9efd6498ba7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2f805ada63b536bc192458a7098388286568ad4"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca8da90ed1432ff3d000de4f1e2275d4e7d21b96"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e7381f3617d14b3c11da80ff5f8a93ab14cfc46"
        }
      ],
      "title": "KVM: Explicitly verify target vCPU is online in kvm_get_vcpu()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58083",
    "datePublished": "2025-03-06T16:13:45.631Z",
    "dateReserved": "2025-03-06T15:52:09.183Z",
    "dateUpdated": "2025-11-03T19:34:17.500Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21906 (GCVE-0-2025-21906)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-05-04 07:23

Title

wifi: iwlwifi: mvm: clean up ROC on failure

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: iwlwifi: mvm: clean up ROC on failure If the firmware fails to start the session protection, then we do call iwl_mvm_roc_finished() here, but that won't do anything at all because IWL_MVM_STATUS_ROC_P2P_RUNNING was never set. Set IWL_MVM_STATUS_ROC_P2P_RUNNING in the failure/stop path. If it started successfully before, it's already set, so that doesn't matter, and if it didn't start it needs to be set to clean up. Not doing so will lead to a WARN_ON() later on a fresh remain- on-channel, since the link is already active when activated as it was never deactivated.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a88c18409b5d69f42…
	https://git.kernel.org/stable/c/d1a12fcb9051bbf38…
	https://git.kernel.org/stable/c/f9751163bffd3fe60…

Impacted products

Vendor

Product

Version

Linux

Affected: 35c1bbd93c4e6969b3ac238b48a8bdff3e223ed8 , < a88c18409b5d69f426d5acc583c053eac71756a3 (git)
Affected: 35c1bbd93c4e6969b3ac238b48a8bdff3e223ed8 , < d1a12fcb9051bbf38b2e5af310ffb102a0fab6f9 (git)
Affected: 35c1bbd93c4e6969b3ac238b48a8bdff3e223ed8 , < f9751163bffd3fe60794929829f810968c6de73d (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intel/iwlwifi/mvm/time-event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a88c18409b5d69f426d5acc583c053eac71756a3",
              "status": "affected",
              "version": "35c1bbd93c4e6969b3ac238b48a8bdff3e223ed8",
              "versionType": "git"
            },
            {
              "lessThan": "d1a12fcb9051bbf38b2e5af310ffb102a0fab6f9",
              "status": "affected",
              "version": "35c1bbd93c4e6969b3ac238b48a8bdff3e223ed8",
              "versionType": "git"
            },
            {
              "lessThan": "f9751163bffd3fe60794929829f810968c6de73d",
              "status": "affected",
              "version": "35c1bbd93c4e6969b3ac238b48a8bdff3e223ed8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/intel/iwlwifi/mvm/time-event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: iwlwifi: mvm: clean up ROC on failure\n\nIf the firmware fails to start the session protection, then we\ndo call iwl_mvm_roc_finished() here, but that won\u0027t do anything\nat all because IWL_MVM_STATUS_ROC_P2P_RUNNING was never set.\nSet IWL_MVM_STATUS_ROC_P2P_RUNNING in the failure/stop path.\nIf it started successfully before, it\u0027s already set, so that\ndoesn\u0027t matter, and if it didn\u0027t start it needs to be set to\nclean up.\n\nNot doing so will lead to a WARN_ON() later on a fresh remain-\non-channel, since the link is already active when activated as\nit was never deactivated."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:56.656Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a88c18409b5d69f426d5acc583c053eac71756a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1a12fcb9051bbf38b2e5af310ffb102a0fab6f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/f9751163bffd3fe60794929829f810968c6de73d"
        }
      ],
      "title": "wifi: iwlwifi: mvm: clean up ROC on failure",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21906",
    "datePublished": "2025-04-01T15:40:47.059Z",
    "dateReserved": "2024-12-29T08:45:45.786Z",
    "dateUpdated": "2025-05-04T07:23:56.656Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22027 (GCVE-0-2025-22027)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-11-03 19:41

Title

media: streamzap: fix race between device disconnection and urb callback

Summary

In the Linux kernel, the following vulnerability has been resolved: media: streamzap: fix race between device disconnection and urb callback Syzkaller has reported a general protection fault at function ir_raw_event_store_with_filter(). This crash is caused by a NULL pointer dereference of dev->raw pointer, even though it is checked for NULL in the same function, which means there is a race condition. It occurs due to the incorrect order of actions in the streamzap_disconnect() function: rc_unregister_device() is called before usb_kill_urb(). The dev->raw pointer is freed and set to NULL in rc_unregister_device(), and only after that usb_kill_urb() waits for in-progress requests to finish. If rc_unregister_device() is called while streamzap_callback() handler is not finished, this can lead to accessing freed resources. Thus rc_unregister_device() should be called after usb_kill_urb(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e11652a6514ec8054…
	https://git.kernel.org/stable/c/f1d518c0bad01abe8…
	https://git.kernel.org/stable/c/30ef7cfee752ca318…
	https://git.kernel.org/stable/c/15483afb930fc2f88…
	https://git.kernel.org/stable/c/adf0ddb914c9e5b3e…
	https://git.kernel.org/stable/c/4db62b60af2ccdea6…
	https://git.kernel.org/stable/c/8760da4b9d44c36b9…
	https://git.kernel.org/stable/c/f656cfbc7a293a039…

Impacted products

Vendor

Product

Version

Linux

Affected: 8e9e60640067858e8036d4d43bbf725c60613359 , < e11652a6514ec805440c1bb3739e6c6236fffcc7 (git)
Affected: 8e9e60640067858e8036d4d43bbf725c60613359 , < f1d518c0bad01abe83c2df880274cb6a39f4a457 (git)
Affected: 8e9e60640067858e8036d4d43bbf725c60613359 , < 30ef7cfee752ca318d5902cb67b60d9797ccd378 (git)
Affected: 8e9e60640067858e8036d4d43bbf725c60613359 , < 15483afb930fc2f883702dc96f80efbe4055235e (git)
Affected: 8e9e60640067858e8036d4d43bbf725c60613359 , < adf0ddb914c9e5b3e50da4c97959e82de2df75c3 (git)
Affected: 8e9e60640067858e8036d4d43bbf725c60613359 , < 4db62b60af2ccdea6ac5452fd20e29587ed85f57 (git)
Affected: 8e9e60640067858e8036d4d43bbf725c60613359 , < 8760da4b9d44c36b93b6e4cf401ec7fe520015bd (git)
Affected: 8e9e60640067858e8036d4d43bbf725c60613359 , < f656cfbc7a293a039d6a0c7100e1c846845148c1 (git)

Linux

Affected: 2.6.36
Unaffected: 0 , < 2.6.36 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "HIGH",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 4.7,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22027",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:05:25.466545Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:05:28.195Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:14.786Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/streamzap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e11652a6514ec805440c1bb3739e6c6236fffcc7",
              "status": "affected",
              "version": "8e9e60640067858e8036d4d43bbf725c60613359",
              "versionType": "git"
            },
            {
              "lessThan": "f1d518c0bad01abe83c2df880274cb6a39f4a457",
              "status": "affected",
              "version": "8e9e60640067858e8036d4d43bbf725c60613359",
              "versionType": "git"
            },
            {
              "lessThan": "30ef7cfee752ca318d5902cb67b60d9797ccd378",
              "status": "affected",
              "version": "8e9e60640067858e8036d4d43bbf725c60613359",
              "versionType": "git"
            },
            {
              "lessThan": "15483afb930fc2f883702dc96f80efbe4055235e",
              "status": "affected",
              "version": "8e9e60640067858e8036d4d43bbf725c60613359",
              "versionType": "git"
            },
            {
              "lessThan": "adf0ddb914c9e5b3e50da4c97959e82de2df75c3",
              "status": "affected",
              "version": "8e9e60640067858e8036d4d43bbf725c60613359",
              "versionType": "git"
            },
            {
              "lessThan": "4db62b60af2ccdea6ac5452fd20e29587ed85f57",
              "status": "affected",
              "version": "8e9e60640067858e8036d4d43bbf725c60613359",
              "versionType": "git"
            },
            {
              "lessThan": "8760da4b9d44c36b93b6e4cf401ec7fe520015bd",
              "status": "affected",
              "version": "8e9e60640067858e8036d4d43bbf725c60613359",
              "versionType": "git"
            },
            {
              "lessThan": "f656cfbc7a293a039d6a0c7100e1c846845148c1",
              "status": "affected",
              "version": "8e9e60640067858e8036d4d43bbf725c60613359",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/rc/streamzap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.36"
            },
            {
              "lessThan": "2.6.36",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.36",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: streamzap: fix race between device disconnection and urb callback\n\nSyzkaller has reported a general protection fault at function\nir_raw_event_store_with_filter(). This crash is caused by a NULL pointer\ndereference of dev-\u003eraw pointer, even though it is checked for NULL in\nthe same function, which means there is a race condition. It occurs due\nto the incorrect order of actions in the streamzap_disconnect() function:\nrc_unregister_device() is called before usb_kill_urb(). The dev-\u003eraw\npointer is freed and set to NULL in rc_unregister_device(), and only\nafter that usb_kill_urb() waits for in-progress requests to finish.\n\nIf rc_unregister_device() is called while streamzap_callback() handler is\nnot finished, this can lead to accessing freed resources. Thus\nrc_unregister_device() should be called after usb_kill_urb().\n\nFound by Linux Verification Center (linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:16:54.533Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e11652a6514ec805440c1bb3739e6c6236fffcc7"
        },
        {
          "url": "https://git.kernel.org/stable/c/f1d518c0bad01abe83c2df880274cb6a39f4a457"
        },
        {
          "url": "https://git.kernel.org/stable/c/30ef7cfee752ca318d5902cb67b60d9797ccd378"
        },
        {
          "url": "https://git.kernel.org/stable/c/15483afb930fc2f883702dc96f80efbe4055235e"
        },
        {
          "url": "https://git.kernel.org/stable/c/adf0ddb914c9e5b3e50da4c97959e82de2df75c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/4db62b60af2ccdea6ac5452fd20e29587ed85f57"
        },
        {
          "url": "https://git.kernel.org/stable/c/8760da4b9d44c36b93b6e4cf401ec7fe520015bd"
        },
        {
          "url": "https://git.kernel.org/stable/c/f656cfbc7a293a039d6a0c7100e1c846845148c1"
        }
      ],
      "title": "media: streamzap: fix race between device disconnection and urb callback",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22027",
    "datePublished": "2025-04-16T14:11:48.210Z",
    "dateReserved": "2024-12-29T08:45:45.807Z",
    "dateUpdated": "2025-11-03T19:41:14.786Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37746 (GCVE-0-2025-37746)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-05-26 05:19

Title

perf/dwc_pcie: fix duplicate pci_dev devices

Summary

In the Linux kernel, the following vulnerability has been resolved: perf/dwc_pcie: fix duplicate pci_dev devices During platform_device_register, wrongly using struct device pci_dev as platform_data caused a kmemdup copy of pci_dev. Worse still, accessing the duplicated device leads to list corruption as its mutex content (e.g., list, magic) remains the same as the original.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a71c6fc87b2b9905d…
	https://git.kernel.org/stable/c/7f35b429802a8065a…

Impacted products

Vendor

Product

Version

Linux

Affected: af9597adc2f1e3609c67c9792a2469bb64e43ae9 , < a71c6fc87b2b9905dc2e38887fe4122287216be9 (git)
Affected: af9597adc2f1e3609c67c9792a2469bb64e43ae9 , < 7f35b429802a8065aa61e2a3f567089649f4d98e (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/perf/dwc_pcie_pmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a71c6fc87b2b9905dc2e38887fe4122287216be9",
              "status": "affected",
              "version": "af9597adc2f1e3609c67c9792a2469bb64e43ae9",
              "versionType": "git"
            },
            {
              "lessThan": "7f35b429802a8065aa61e2a3f567089649f4d98e",
              "status": "affected",
              "version": "af9597adc2f1e3609c67c9792a2469bb64e43ae9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/perf/dwc_pcie_pmu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nperf/dwc_pcie: fix duplicate pci_dev devices\n\nDuring platform_device_register, wrongly using struct device\npci_dev as platform_data caused a kmemdup copy of pci_dev. Worse\nstill, accessing the duplicated device leads to list corruption as its\nmutex content (e.g., list, magic) remains the same as the original."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:59.952Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a71c6fc87b2b9905dc2e38887fe4122287216be9"
        },
        {
          "url": "https://git.kernel.org/stable/c/7f35b429802a8065aa61e2a3f567089649f4d98e"
        }
      ],
      "title": "perf/dwc_pcie: fix duplicate pci_dev devices",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37746",
    "datePublished": "2025-05-01T12:55:53.385Z",
    "dateReserved": "2025-04-16T04:51:23.936Z",
    "dateUpdated": "2025-05-26T05:19:59.952Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21979 (GCVE-0-2025-21979)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2026-02-06 16:30

Title

wifi: cfg80211: cancel wiphy_work before freeing wiphy

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: cfg80211: cancel wiphy_work before freeing wiphy A wiphy_work can be queued from the moment the wiphy is allocated and initialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the rdev::wiphy_work is getting queued. If wiphy_free is called before the rdev::wiphy_work had a chance to run, the wiphy memory will be freed, and then when it eventally gets to run it'll use invalid memory. Fix this by canceling the work before freeing the wiphy.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8930a3e1568cf534f…
	https://git.kernel.org/stable/c/0272d4af7f9299754…
	https://git.kernel.org/stable/c/75d262ad3c36d5285…
	https://git.kernel.org/stable/c/a5158d67bff06cb6f…
	https://git.kernel.org/stable/c/dea22de162058216a…
	https://git.kernel.org/stable/c/72d520476a2fab6f3…

Impacted products

Vendor

Product

Version

Linux

Affected: ddb1bfbf4ab5c753954d0cd728253b642934a9f2 , < 8930a3e1568cf534f86c8ed2def817c6d0528fc1 (git)
Affected: 3fcc6d7d5f40dad56dee7bde787b7e23edd4b93c , < 0272d4af7f92997541d8bbf4c51918b93ded6ee2 (git)
Affected: a3ee4dc84c4e9d14cb34dad095fd678127aca5b6 , < 75d262ad3c36d52852d764588fcd887f0fcd9138 (git)
Affected: a3ee4dc84c4e9d14cb34dad095fd678127aca5b6 , < a5158d67bff06cb6fea31be39aeb319fd908ed8e (git)
Affected: a3ee4dc84c4e9d14cb34dad095fd678127aca5b6 , < dea22de162058216a90f2706f0d0b36f0ff309fd (git)
Affected: a3ee4dc84c4e9d14cb34dad095fd678127aca5b6 , < 72d520476a2fab6f3489e8388ab524985d6c4b90 (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21979",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:15:17.684537Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:15:20.536Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:19.723Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8930a3e1568cf534f86c8ed2def817c6d0528fc1",
              "status": "affected",
              "version": "ddb1bfbf4ab5c753954d0cd728253b642934a9f2",
              "versionType": "git"
            },
            {
              "lessThan": "0272d4af7f92997541d8bbf4c51918b93ded6ee2",
              "status": "affected",
              "version": "3fcc6d7d5f40dad56dee7bde787b7e23edd4b93c",
              "versionType": "git"
            },
            {
              "lessThan": "75d262ad3c36d52852d764588fcd887f0fcd9138",
              "status": "affected",
              "version": "a3ee4dc84c4e9d14cb34dad095fd678127aca5b6",
              "versionType": "git"
            },
            {
              "lessThan": "a5158d67bff06cb6fea31be39aeb319fd908ed8e",
              "status": "affected",
              "version": "a3ee4dc84c4e9d14cb34dad095fd678127aca5b6",
              "versionType": "git"
            },
            {
              "lessThan": "dea22de162058216a90f2706f0d0b36f0ff309fd",
              "status": "affected",
              "version": "a3ee4dc84c4e9d14cb34dad095fd678127aca5b6",
              "versionType": "git"
            },
            {
              "lessThan": "72d520476a2fab6f3489e8388ab524985d6c4b90",
              "status": "affected",
              "version": "a3ee4dc84c4e9d14cb34dad095fd678127aca5b6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/wireless/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.1.57",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: cfg80211: cancel wiphy_work before freeing wiphy\n\nA wiphy_work can be queued from the moment the wiphy is allocated and\ninitialized (i.e. wiphy_new_nm). When a wiphy_work is queued, the\nrdev::wiphy_work is getting queued.\n\nIf wiphy_free is called before the rdev::wiphy_work had a chance to run,\nthe wiphy memory will be freed, and then when it eventally gets to run\nit\u0027ll use invalid memory.\n\nFix this by canceling the work before freeing the wiphy."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T16:30:58.637Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8930a3e1568cf534f86c8ed2def817c6d0528fc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/0272d4af7f92997541d8bbf4c51918b93ded6ee2"
        },
        {
          "url": "https://git.kernel.org/stable/c/75d262ad3c36d52852d764588fcd887f0fcd9138"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5158d67bff06cb6fea31be39aeb319fd908ed8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/dea22de162058216a90f2706f0d0b36f0ff309fd"
        },
        {
          "url": "https://git.kernel.org/stable/c/72d520476a2fab6f3489e8388ab524985d6c4b90"
        }
      ],
      "title": "wifi: cfg80211: cancel wiphy_work before freeing wiphy",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21979",
    "datePublished": "2025-04-01T15:47:08.699Z",
    "dateReserved": "2024-12-29T08:45:45.798Z",
    "dateUpdated": "2026-02-06T16:30:58.637Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37875 (GCVE-0-2025-37875)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:44 – Updated: 2025-11-03 19:56

Title

igc: fix PTM cycle trigger logic

Summary

In the Linux kernel, the following vulnerability has been resolved: igc: fix PTM cycle trigger logic Writing to clear the PTM status 'valid' bit while the PTM cycle is triggered results in unreliable PTM operation. To fix this, clear the PTM 'trigger' and status after each PTM transaction. The issue can be reproduced with the following: $ sudo phc2sys -R 1000 -O 0 -i tsn0 -m Note: 1000 Hz (-R 1000) is unrealistically large, but provides a way to quickly reproduce the issue. PHC2SYS exits with: "ioctl PTP_OFFSET_PRECISE: Connection timed out" when the PTM transaction fails This patch also fixes a hang in igc_probe() when loading the igc driver in the kdump kernel on systems supporting PTM. The igc driver running in the base kernel enables PTM trigger in igc_probe(). Therefore the driver is always in PTM trigger mode, except in brief periods when manually triggering a PTM cycle. When a crash occurs, the NIC is reset while PTM trigger is enabled. Due to a hardware problem, the NIC is subsequently in a bad busmaster state and doesn't handle register reads/writes. When running igc_probe() in the kdump kernel, the first register access to a NIC register hangs driver probing and ultimately breaks kdump. With this patch, igc has PTM trigger disabled most of the time, and the trigger is only enabled for very brief (10 - 100 us) periods when manually triggering a PTM cycle. Chances that a crash occurs during a PTM trigger are not 0, but extremely reduced.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c1f174edaccc5a00f…
	https://git.kernel.org/stable/c/0c03e4fbe1321697d…
	https://git.kernel.org/stable/c/16194ca3f3b4448a0…
	https://git.kernel.org/stable/c/f3516229cd12dcd45…
	https://git.kernel.org/stable/c/31959e06143692f7e…
	https://git.kernel.org/stable/c/8e404ad95d2c10c26…

Impacted products

Vendor

Product

Version

Linux

Affected: a90ec84837325df4b9a6798c2cc0df202b5680bd , < c1f174edaccc5a00f8e218c42a0aa9156efd5f76 (git)
Affected: a90ec84837325df4b9a6798c2cc0df202b5680bd , < 0c03e4fbe1321697d9d04587e21e416705e1b19f (git)
Affected: a90ec84837325df4b9a6798c2cc0df202b5680bd , < 16194ca3f3b4448a062650c869a7b3b206c6f5d3 (git)
Affected: a90ec84837325df4b9a6798c2cc0df202b5680bd , < f3516229cd12dcd45f23ed01adab17e8772b1bd5 (git)
Affected: a90ec84837325df4b9a6798c2cc0df202b5680bd , < 31959e06143692f7e02b8eef7d7d6ac645637906 (git)
Affected: a90ec84837325df4b9a6798c2cc0df202b5680bd , < 8e404ad95d2c10c261e2ef6992c7c12dde03df0e (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:49.727Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/igc/igc_defines.h",
            "drivers/net/ethernet/intel/igc/igc_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c1f174edaccc5a00f8e218c42a0aa9156efd5f76",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "0c03e4fbe1321697d9d04587e21e416705e1b19f",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "16194ca3f3b4448a062650c869a7b3b206c6f5d3",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "f3516229cd12dcd45f23ed01adab17e8772b1bd5",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "31959e06143692f7e02b8eef7d7d6ac645637906",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            },
            {
              "lessThan": "8e404ad95d2c10c261e2ef6992c7c12dde03df0e",
              "status": "affected",
              "version": "a90ec84837325df4b9a6798c2cc0df202b5680bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/igc/igc_defines.h",
            "drivers/net/ethernet/intel/igc/igc_ptp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nigc: fix PTM cycle trigger logic\n\nWriting to clear the PTM status \u0027valid\u0027 bit while the PTM cycle is\ntriggered results in unreliable PTM operation. To fix this, clear the\nPTM \u0027trigger\u0027 and status after each PTM transaction.\n\nThe issue can be reproduced with the following:\n\n$ sudo phc2sys -R 1000 -O 0 -i tsn0 -m\n\nNote: 1000 Hz (-R 1000) is unrealistically large, but provides a way to\nquickly reproduce the issue.\n\nPHC2SYS exits with:\n\n\"ioctl PTP_OFFSET_PRECISE: Connection timed out\" when the PTM transaction\n  fails\n\nThis patch also fixes a hang in igc_probe() when loading the igc\ndriver in the kdump kernel on systems supporting PTM.\n\nThe igc driver running in the base kernel enables PTM trigger in\nigc_probe().  Therefore the driver is always in PTM trigger mode,\nexcept in brief periods when manually triggering a PTM cycle.\n\nWhen a crash occurs, the NIC is reset while PTM trigger is enabled.\nDue to a hardware problem, the NIC is subsequently in a bad busmaster\nstate and doesn\u0027t handle register reads/writes.  When running\nigc_probe() in the kdump kernel, the first register access to a NIC\nregister hangs driver probing and ultimately breaks kdump.\n\nWith this patch, igc has PTM trigger disabled most of the time,\nand the trigger is only enabled for very brief (10 - 100 us) periods\nwhen manually triggering a PTM cycle.  Chances that a crash occurs\nduring a PTM trigger are not 0, but extremely reduced."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:48.769Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c1f174edaccc5a00f8e218c42a0aa9156efd5f76"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c03e4fbe1321697d9d04587e21e416705e1b19f"
        },
        {
          "url": "https://git.kernel.org/stable/c/16194ca3f3b4448a062650c869a7b3b206c6f5d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3516229cd12dcd45f23ed01adab17e8772b1bd5"
        },
        {
          "url": "https://git.kernel.org/stable/c/31959e06143692f7e02b8eef7d7d6ac645637906"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e404ad95d2c10c261e2ef6992c7c12dde03df0e"
        }
      ],
      "title": "igc: fix PTM cycle trigger logic",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37875",
    "datePublished": "2025-05-09T06:44:03.368Z",
    "dateReserved": "2025-04-16T04:51:23.960Z",
    "dateUpdated": "2025-11-03T19:56:49.727Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21704 (GCVE-0-2025-21704)

Vulnerability from cvelistv5 – Published: 2025-02-22 09:43 – Updated: 2025-11-03 19:35

Title

usb: cdc-acm: Check control transfer buffer size before access

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: cdc-acm: Check control transfer buffer size before access If the first fragment is shorter than struct usb_cdc_notification, we can't calculate an expected_size. Log an error and discard the notification instead of reading lengths from memory outside the received data, which can lead to memory corruption when the expected_size decreases between fragments, causing `expected_size - acm->nb_index` to wrap. This issue has been present since the beginning of git history; however, it only leads to memory corruption since commit ea2583529cd1 ("cdc-acm: reassemble fragmented notifications"). A mitigating factor is that acm_ctrl_irq() can only execute after userspace has opened /dev/ttyACM*; but if ModemManager is running, ModemManager will do that automatically depending on the USB device's vendor/product IDs and its other interfaces.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a4e1ae5c053396417…
	https://git.kernel.org/stable/c/90dd2f1b7342b9a67…
	https://git.kernel.org/stable/c/871619c2b78fdfe05…
	https://git.kernel.org/stable/c/7828e9363ac4d23b0…
	https://git.kernel.org/stable/c/6abb510251e75f875…
	https://git.kernel.org/stable/c/f64079bef6a8a7823…
	https://git.kernel.org/stable/c/383d516a0ebc86413…
	https://git.kernel.org/stable/c/e563b01208f4d1f60…
	https://project-zero.issues.chromium.org/issues/3…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 90dd2f1b7342b9a671a5ea4160f408037b92b118 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 871619c2b78fdfe05afb4e8ba548678687beb812 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 7828e9363ac4d23b02419bf2a45b9f1d9fb35646 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 6abb510251e75f875797d8983a830e6731fa281c (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < f64079bef6a8a7823358c3f352ea29a617844636 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 383d516a0ebc8641372b521c8cb717f0f1834831 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e563b01208f4d1f609bcab13333b6c0e24ce6a01 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:35:54.825Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/cdc-acm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "90dd2f1b7342b9a671a5ea4160f408037b92b118",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "871619c2b78fdfe05afb4e8ba548678687beb812",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "7828e9363ac4d23b02419bf2a45b9f1d9fb35646",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "6abb510251e75f875797d8983a830e6731fa281c",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "f64079bef6a8a7823358c3f352ea29a617844636",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "383d516a0ebc8641372b521c8cb717f0f1834831",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e563b01208f4d1f609bcab13333b6c0e24ce6a01",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/class/cdc-acm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: cdc-acm: Check control transfer buffer size before access\n\nIf the first fragment is shorter than struct usb_cdc_notification, we can\u0027t\ncalculate an expected_size. Log an error and discard the notification\ninstead of reading lengths from memory outside the received data, which can\nlead to memory corruption when the expected_size decreases between\nfragments, causing `expected_size - acm-\u003enb_index` to wrap.\n\nThis issue has been present since the beginning of git history; however,\nit only leads to memory corruption since commit ea2583529cd1\n(\"cdc-acm: reassemble fragmented notifications\").\n\nA mitigating factor is that acm_ctrl_irq() can only execute after userspace\nhas opened /dev/ttyACM*; but if ModemManager is running, ModemManager will\ndo that automatically depending on the USB device\u0027s vendor/product IDs and\nits other interfaces."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:21.210Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a4e1ae5c0533964170197e4fb4f33bc8c1db5cd2"
        },
        {
          "url": "https://git.kernel.org/stable/c/90dd2f1b7342b9a671a5ea4160f408037b92b118"
        },
        {
          "url": "https://git.kernel.org/stable/c/871619c2b78fdfe05afb4e8ba548678687beb812"
        },
        {
          "url": "https://git.kernel.org/stable/c/7828e9363ac4d23b02419bf2a45b9f1d9fb35646"
        },
        {
          "url": "https://git.kernel.org/stable/c/6abb510251e75f875797d8983a830e6731fa281c"
        },
        {
          "url": "https://git.kernel.org/stable/c/f64079bef6a8a7823358c3f352ea29a617844636"
        },
        {
          "url": "https://git.kernel.org/stable/c/383d516a0ebc8641372b521c8cb717f0f1834831"
        },
        {
          "url": "https://git.kernel.org/stable/c/e563b01208f4d1f609bcab13333b6c0e24ce6a01"
        },
        {
          "url": "https://project-zero.issues.chromium.org/issues/395107243"
        }
      ],
      "title": "usb: cdc-acm: Check control transfer buffer size before access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21704",
    "datePublished": "2025-02-22T09:43:37.377Z",
    "dateReserved": "2024-12-29T08:45:45.751Z",
    "dateUpdated": "2025-11-03T19:35:54.825Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-49636 (GCVE-0-2022-49636)

Vulnerability from cvelistv5 – Published: 2025-02-26 02:23 – Updated: 2025-05-04 08:42

Title

vlan: fix memory leak in vlan_newlink()

Summary

In the Linux kernel, the following vulnerability has been resolved: vlan: fix memory leak in vlan_newlink() Blamed commit added back a bug I fixed in commit 9bbd917e0bec ("vlan: fix memory leak in vlan_dev_set_egress_priority") If a memory allocation fails in vlan_changelink() after other allocations succeeded, we need to call vlan_dev_free_egress_priority() to free all allocated memory because after a failed ->newlink() we do not call any methods like ndo_uninit() or dev->priv_destructor(). In following example, if the allocation for last element 2000:2001 fails, we need to free eight prior allocations: ip link add link dummy0 dummy0.100 type vlan id 100 \ egress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001 syzbot report was: BUG: memory leak unreferenced object 0xffff888117bd1060 (size 32): comm "syz-executor408", pid 3759, jiffies 4294956555 (age 34.090s) hex dump (first 32 bytes): 09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<ffffffff83fc60ad>] kmalloc include/linux/slab.h:600 [inline] [<ffffffff83fc60ad>] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193 [<ffffffff83fc6628>] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128 [<ffffffff83fc67c8>] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185 [<ffffffff838b1278>] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline] [<ffffffff838b1278>] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580 [<ffffffff838b1629>] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593 [<ffffffff838ac66c>] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089 [<ffffffff839f9c37>] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501 [<ffffffff839f8da7>] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline] [<ffffffff839f8da7>] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345 [<ffffffff839f9266>] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921 [<ffffffff8384dbf6>] sock_sendmsg_nosec net/socket.c:714 [inline] [<ffffffff8384dbf6>] sock_sendmsg+0x56/0x80 net/socket.c:734 [<ffffffff8384e15c>] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488 [<ffffffff838523cb>] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542 [<ffffffff838525b8>] __sys_sendmsg net/socket.c:2571 [inline] [<ffffffff838525b8>] __do_sys_sendmsg net/socket.c:2580 [inline] [<ffffffff838525b8>] __se_sys_sendmsg net/socket.c:2578 [inline] [<ffffffff838525b8>] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578 [<ffffffff845ad8d5>] do_syscall_x64 arch/x86/entry/common.c:50 [inline] [<ffffffff845ad8d5>] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 [<ffffffff8460006a>] entry_SYSCALL_64_after_hwframe+0x46/0xb0

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/549de58dba4bf1b2a…
	https://git.kernel.org/stable/c/df27729a4fe0002df…
	https://git.kernel.org/stable/c/f5dc10b910bdac523…
	https://git.kernel.org/stable/c/4c43069bb1097dd6c…
	https://git.kernel.org/stable/c/72a0b329114b1caa8…

Impacted products

Vendor

Product

Version

Linux

Affected: b195d229de401377f70c04e0dff93b342464ec8e , < 549de58dba4bf1b2adc72e9948b9c76fa88be9d2 (git)
Affected: 62d7ad2c191122119c66361ba6d9f04974b51afe , < df27729a4fe0002dfd80c96fe1c142829c672728 (git)
Affected: 842801181864690fdcde73b017cce4c1353a7083 , < f5dc10b910bdac523e5947336445a77066c51bf9 (git)
Affected: 37aa50c539bcbcc01767e515bd170787fcfc0f33 , < 4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b (git)
Affected: 37aa50c539bcbcc01767e515bd170787fcfc0f33 , < 72a0b329114b1caa8e69dfa7cdad1dd3c69b8602 (git)

Linux

Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 5.18.13 , ≤ 5.18.* (semver)
Unaffected: 5.19 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/8021q/vlan_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "549de58dba4bf1b2adc72e9948b9c76fa88be9d2",
              "status": "affected",
              "version": "b195d229de401377f70c04e0dff93b342464ec8e",
              "versionType": "git"
            },
            {
              "lessThan": "df27729a4fe0002dfd80c96fe1c142829c672728",
              "status": "affected",
              "version": "62d7ad2c191122119c66361ba6d9f04974b51afe",
              "versionType": "git"
            },
            {
              "lessThan": "f5dc10b910bdac523e5947336445a77066c51bf9",
              "status": "affected",
              "version": "842801181864690fdcde73b017cce4c1353a7083",
              "versionType": "git"
            },
            {
              "lessThan": "4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b",
              "status": "affected",
              "version": "37aa50c539bcbcc01767e515bd170787fcfc0f33",
              "versionType": "git"
            },
            {
              "lessThan": "72a0b329114b1caa8e69dfa7cdad1dd3c69b8602",
              "status": "affected",
              "version": "37aa50c539bcbcc01767e515bd170787fcfc0f33",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/8021q/vlan_netlink.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.18.*",
              "status": "unaffected",
              "version": "5.18.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "5.19",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "5.4.291",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.10.235",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15.142",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.18.13",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.19",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvlan: fix memory leak in vlan_newlink()\n\nBlamed commit added back a bug I fixed in commit 9bbd917e0bec\n(\"vlan: fix memory leak in vlan_dev_set_egress_priority\")\n\nIf a memory allocation fails in vlan_changelink() after other allocations\nsucceeded, we need to call vlan_dev_free_egress_priority()\nto free all allocated memory because after a failed -\u003enewlink()\nwe do not call any methods like ndo_uninit() or dev-\u003epriv_destructor().\n\nIn following example, if the allocation for last element 2000:2001 fails,\nwe need to free eight prior allocations:\n\nip link add link dummy0 dummy0.100 type vlan id 100 \\\n\tegress-qos-map 1:2 2:3 3:4 4:5 5:6 6:7 7:8 8:9 2000:2001\n\nsyzbot report was:\n\nBUG: memory leak\nunreferenced object 0xffff888117bd1060 (size 32):\ncomm \"syz-executor408\", pid 3759, jiffies 4294956555 (age 34.090s)\nhex dump (first 32 bytes):\n09 00 00 00 00 a0 00 00 00 00 00 00 00 00 00 00 ................\n00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................\nbacktrace:\n[\u003cffffffff83fc60ad\u003e] kmalloc include/linux/slab.h:600 [inline]\n[\u003cffffffff83fc60ad\u003e] vlan_dev_set_egress_priority+0xed/0x170 net/8021q/vlan_dev.c:193\n[\u003cffffffff83fc6628\u003e] vlan_changelink+0x178/0x1d0 net/8021q/vlan_netlink.c:128\n[\u003cffffffff83fc67c8\u003e] vlan_newlink+0x148/0x260 net/8021q/vlan_netlink.c:185\n[\u003cffffffff838b1278\u003e] rtnl_newlink_create net/core/rtnetlink.c:3363 [inline]\n[\u003cffffffff838b1278\u003e] __rtnl_newlink+0xa58/0xdc0 net/core/rtnetlink.c:3580\n[\u003cffffffff838b1629\u003e] rtnl_newlink+0x49/0x70 net/core/rtnetlink.c:3593\n[\u003cffffffff838ac66c\u003e] rtnetlink_rcv_msg+0x21c/0x5c0 net/core/rtnetlink.c:6089\n[\u003cffffffff839f9c37\u003e] netlink_rcv_skb+0x87/0x1d0 net/netlink/af_netlink.c:2501\n[\u003cffffffff839f8da7\u003e] netlink_unicast_kernel net/netlink/af_netlink.c:1319 [inline]\n[\u003cffffffff839f8da7\u003e] netlink_unicast+0x397/0x4c0 net/netlink/af_netlink.c:1345\n[\u003cffffffff839f9266\u003e] netlink_sendmsg+0x396/0x710 net/netlink/af_netlink.c:1921\n[\u003cffffffff8384dbf6\u003e] sock_sendmsg_nosec net/socket.c:714 [inline]\n[\u003cffffffff8384dbf6\u003e] sock_sendmsg+0x56/0x80 net/socket.c:734\n[\u003cffffffff8384e15c\u003e] ____sys_sendmsg+0x36c/0x390 net/socket.c:2488\n[\u003cffffffff838523cb\u003e] ___sys_sendmsg+0x8b/0xd0 net/socket.c:2542\n[\u003cffffffff838525b8\u003e] __sys_sendmsg net/socket.c:2571 [inline]\n[\u003cffffffff838525b8\u003e] __do_sys_sendmsg net/socket.c:2580 [inline]\n[\u003cffffffff838525b8\u003e] __se_sys_sendmsg net/socket.c:2578 [inline]\n[\u003cffffffff838525b8\u003e] __x64_sys_sendmsg+0x78/0xf0 net/socket.c:2578\n[\u003cffffffff845ad8d5\u003e] do_syscall_x64 arch/x86/entry/common.c:50 [inline]\n[\u003cffffffff845ad8d5\u003e] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80\n[\u003cffffffff8460006a\u003e] entry_SYSCALL_64_after_hwframe+0x46/0xb0"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T08:42:17.541Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/549de58dba4bf1b2adc72e9948b9c76fa88be9d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/df27729a4fe0002dfd80c96fe1c142829c672728"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5dc10b910bdac523e5947336445a77066c51bf9"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c43069bb1097dd6cc1cf0f7c43a36d1f7b3910b"
        },
        {
          "url": "https://git.kernel.org/stable/c/72a0b329114b1caa8e69dfa7cdad1dd3c69b8602"
        }
      ],
      "title": "vlan: fix memory leak in vlan_newlink()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2022-49636",
    "datePublished": "2025-02-26T02:23:46.222Z",
    "dateReserved": "2025-02-26T02:21:30.429Z",
    "dateUpdated": "2025-05-04T08:42:17.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21749 (GCVE-0-2025-21749)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:12 – Updated: 2025-11-03 19:36

Title

net: rose: lock the socket in rose_bind()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: rose: lock the socket in rose_bind() syzbot reported a soft lockup in rose_loopback_timer(), with a repro calling bind() from multiple threads. rose_bind() must lock the socket to avoid this issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b8bf5c3fb778bbb1f…
	https://git.kernel.org/stable/c/ed00c5f907d08a647…
	https://git.kernel.org/stable/c/d308661a0f4e7c8e8…
	https://git.kernel.org/stable/c/667f61b3498df751c…
	https://git.kernel.org/stable/c/e0384efd45f615603…
	https://git.kernel.org/stable/c/970cd2ed26cdab2b0…
	https://git.kernel.org/stable/c/4c04b0ab3a647e76d…
	https://git.kernel.org/stable/c/a1300691aed9ee852…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b8bf5c3fb778bbb1f3ff7d98ec577c969f687513 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ed00c5f907d08a647b8bf987514ad8c6b17971a7 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < d308661a0f4e7c8e86dfc7074a55ee5894c61538 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 667f61b3498df751c8b3f0be1637e7226cbe3ed0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < e0384efd45f615603e6869205b72040c209e69cc (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 970cd2ed26cdab2b0f15b6d90d7eaa36538244a5 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 4c04b0ab3a647e76d0e752b013de8e404abafc63 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < a1300691aed9ee852b0a9192e29e2bdc2411a7e6 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:54.163Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/rose/af_rose.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b8bf5c3fb778bbb1f3ff7d98ec577c969f687513",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "ed00c5f907d08a647b8bf987514ad8c6b17971a7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "d308661a0f4e7c8e86dfc7074a55ee5894c61538",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "667f61b3498df751c8b3f0be1637e7226cbe3ed0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "e0384efd45f615603e6869205b72040c209e69cc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "970cd2ed26cdab2b0f15b6d90d7eaa36538244a5",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "4c04b0ab3a647e76d0e752b013de8e404abafc63",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "a1300691aed9ee852b0a9192e29e2bdc2411a7e6",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/rose/af_rose.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: rose: lock the socket in rose_bind()\n\nsyzbot reported a soft lockup in rose_loopback_timer(),\nwith a repro calling bind() from multiple threads.\n\nrose_bind() must lock the socket to avoid this issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:17.259Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b8bf5c3fb778bbb1f3ff7d98ec577c969f687513"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed00c5f907d08a647b8bf987514ad8c6b17971a7"
        },
        {
          "url": "https://git.kernel.org/stable/c/d308661a0f4e7c8e86dfc7074a55ee5894c61538"
        },
        {
          "url": "https://git.kernel.org/stable/c/667f61b3498df751c8b3f0be1637e7226cbe3ed0"
        },
        {
          "url": "https://git.kernel.org/stable/c/e0384efd45f615603e6869205b72040c209e69cc"
        },
        {
          "url": "https://git.kernel.org/stable/c/970cd2ed26cdab2b0f15b6d90d7eaa36538244a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c04b0ab3a647e76d0e752b013de8e404abafc63"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1300691aed9ee852b0a9192e29e2bdc2411a7e6"
        }
      ],
      "title": "net: rose: lock the socket in rose_bind()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21749",
    "datePublished": "2025-02-27T02:12:20.305Z",
    "dateReserved": "2024-12-29T08:45:45.758Z",
    "dateUpdated": "2025-11-03T19:36:54.163Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21972 (GCVE-0-2025-21972)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-05-04 07:26

Title

net: mctp: unshare packets when reassembling

Summary

In the Linux kernel, the following vulnerability has been resolved: net: mctp: unshare packets when reassembling Ensure that the frag_list used for reassembly isn't shared with other packets. This avoids incorrect reassembly when packets are cloned, and prevents a memory leak due to circular references between fragments and their skb_shared_info. The upcoming MCTP-over-USB driver uses skb_clone which can trigger the problem - other MCTP drivers don't share SKBs. A kunit test is added to reproduce the issue.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5c47d5bfa7b096cf8…
	https://git.kernel.org/stable/c/f44fff3d3c6cd67b6…
	https://git.kernel.org/stable/c/f5d83cf0eeb90fade…

Impacted products

Vendor

Product

Version

Linux

Affected: 4a992bbd365094730a31bae1e12a6ca695336d57 , < 5c47d5bfa7b096cf8890afac32141c578583f8e0 (git)
Affected: 4a992bbd365094730a31bae1e12a6ca695336d57 , < f44fff3d3c6cd67b6f348b821d73c4d6888c7a6e (git)
Affected: 4a992bbd365094730a31bae1e12a6ca695336d57 , < f5d83cf0eeb90fade4d5c4d17d24b8bee9ceeecc (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/mctp/route.c",
            "net/mctp/test/route-test.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c47d5bfa7b096cf8890afac32141c578583f8e0",
              "status": "affected",
              "version": "4a992bbd365094730a31bae1e12a6ca695336d57",
              "versionType": "git"
            },
            {
              "lessThan": "f44fff3d3c6cd67b6f348b821d73c4d6888c7a6e",
              "status": "affected",
              "version": "4a992bbd365094730a31bae1e12a6ca695336d57",
              "versionType": "git"
            },
            {
              "lessThan": "f5d83cf0eeb90fade4d5c4d17d24b8bee9ceeecc",
              "status": "affected",
              "version": "4a992bbd365094730a31bae1e12a6ca695336d57",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/mctp/route.c",
            "net/mctp/test/route-test.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: mctp: unshare packets when reassembling\n\nEnsure that the frag_list used for reassembly isn\u0027t shared with other\npackets. This avoids incorrect reassembly when packets are cloned, and\nprevents a memory leak due to circular references between fragments and\ntheir skb_shared_info.\n\nThe upcoming MCTP-over-USB driver uses skb_clone which can trigger the\nproblem - other MCTP drivers don\u0027t share SKBs.\n\nA kunit test is added to reproduce the issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:10.249Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c47d5bfa7b096cf8890afac32141c578583f8e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f44fff3d3c6cd67b6f348b821d73c4d6888c7a6e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5d83cf0eeb90fade4d5c4d17d24b8bee9ceeecc"
        }
      ],
      "title": "net: mctp: unshare packets when reassembling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21972",
    "datePublished": "2025-04-01T15:47:04.960Z",
    "dateReserved": "2024-12-29T08:45:45.797Z",
    "dateUpdated": "2025-05-04T07:26:10.249Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22113 (GCVE-0-2025-22113)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-09-09 17:05

Title

ext4: avoid journaling sb update on error if journal is destroying

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: avoid journaling sb update on error if journal is destroying Presently we always BUG_ON if trying to start a transaction on a journal marked with JBD2_UNMOUNT, since this should never happen. However, while ltp running stress tests, it was observed that in case of some error handling paths, it is possible for update_super_work to start a transaction after the journal is destroyed eg: (umount) ext4_kill_sb kill_block_super generic_shutdown_super sync_filesystem /* commits all txns */ evict_inodes /* might start a new txn */ ext4_put_super flush_work(&sbi->s_sb_upd_work) /* flush the workqueue */ jbd2_journal_destroy journal_kill_thread journal->j_flags |= JBD2_UNMOUNT; jbd2_journal_commit_transaction jbd2_journal_get_descriptor_buffer jbd2_journal_bmap ext4_journal_bmap ext4_map_blocks ... ext4_inode_error ext4_handle_error schedule_work(&sbi->s_sb_upd_work) /* work queue kicks in */ update_super_work jbd2_journal_start start_this_handle BUG_ON(journal->j_flags & JBD2_UNMOUNT) Hence, introduce a new mount flag to indicate journal is destroying and only do a journaled (and deferred) update of sb if this flag is not set. Otherwise, just fallback to an un-journaled commit. Further, in the journal destroy path, we have the following sequence: 1. Set mount flag indicating journal is destroying 2. force a commit and wait for it 3. flush pending sb updates This sequence is important as it ensures that, after this point, there is no sb update that might be journaled so it is safe to update the sb outside the journal. (To avoid race discussed in 2d01ddc86606) Also, we don't need a similar check in ext4_grp_locked_error since it is only called from mballoc and AFAICT it would be always valid to schedule work here.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/eddca44ddf810e27f…
	https://git.kernel.org/stable/c/db05767b5bc307143…
	https://git.kernel.org/stable/c/ce2f26e73783b4a7c…

Impacted products

Vendor

Product

Version

Linux

Affected: 2d01ddc86606564fb08c56e3bc93a0693895f710 , < eddca44ddf810e27f0c96913aa3cc92ebd679ddb (git)
Affected: 2d01ddc86606564fb08c56e3bc93a0693895f710 , < db05767b5bc307143d99fe2afd8c43af58d2ebef (git)
Affected: 2d01ddc86606564fb08c56e3bc93a0693895f710 , < ce2f26e73783b4a7c46a86e3af5b5c8de0971790 (git)

Linux

Affected: 5.11
Unaffected: 0 , < 5.11 (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/ext4.h",
            "fs/ext4/ext4_jbd2.h",
            "fs/ext4/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "eddca44ddf810e27f0c96913aa3cc92ebd679ddb",
              "status": "affected",
              "version": "2d01ddc86606564fb08c56e3bc93a0693895f710",
              "versionType": "git"
            },
            {
              "lessThan": "db05767b5bc307143d99fe2afd8c43af58d2ebef",
              "status": "affected",
              "version": "2d01ddc86606564fb08c56e3bc93a0693895f710",
              "versionType": "git"
            },
            {
              "lessThan": "ce2f26e73783b4a7c46a86e3af5b5c8de0971790",
              "status": "affected",
              "version": "2d01ddc86606564fb08c56e3bc93a0693895f710",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/ext4.h",
            "fs/ext4/ext4_jbd2.h",
            "fs/ext4/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.11"
            },
            {
              "lessThan": "5.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: avoid journaling sb update on error if journal is destroying\n\nPresently we always BUG_ON if trying to start a transaction on a journal marked\nwith JBD2_UNMOUNT, since this should never happen. However, while ltp running\nstress tests, it was observed that in case of some error handling paths, it is\npossible for update_super_work to start a transaction after the journal is\ndestroyed eg:\n\n(umount)\next4_kill_sb\n  kill_block_super\n    generic_shutdown_super\n      sync_filesystem /* commits all txns */\n      evict_inodes\n        /* might start a new txn */\n      ext4_put_super\n\tflush_work(\u0026sbi-\u003es_sb_upd_work) /* flush the workqueue */\n        jbd2_journal_destroy\n          journal_kill_thread\n            journal-\u003ej_flags |= JBD2_UNMOUNT;\n          jbd2_journal_commit_transaction\n            jbd2_journal_get_descriptor_buffer\n              jbd2_journal_bmap\n                ext4_journal_bmap\n                  ext4_map_blocks\n                    ...\n                    ext4_inode_error\n                      ext4_handle_error\n                        schedule_work(\u0026sbi-\u003es_sb_upd_work)\n\n                                               /* work queue kicks in */\n                                               update_super_work\n                                                 jbd2_journal_start\n                                                   start_this_handle\n                                                     BUG_ON(journal-\u003ej_flags \u0026\n                                                            JBD2_UNMOUNT)\n\nHence, introduce a new mount flag to indicate journal is destroying and only do\na journaled (and deferred) update of sb if this flag is not set. Otherwise, just\nfallback to an un-journaled commit.\n\nFurther, in the journal destroy path, we have the following sequence:\n\n  1. Set mount flag indicating journal is destroying\n  2. force a commit and wait for it\n  3. flush pending sb updates\n\nThis sequence is important as it ensures that, after this point, there is no sb\nupdate that might be journaled so it is safe to update the sb outside the\njournal. (To avoid race discussed in 2d01ddc86606)\n\nAlso, we don\u0027t need a similar check in ext4_grp_locked_error since it is only\ncalled from mballoc and AFAICT it would be always valid to schedule work here."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:05:50.940Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/eddca44ddf810e27f0c96913aa3cc92ebd679ddb"
        },
        {
          "url": "https://git.kernel.org/stable/c/db05767b5bc307143d99fe2afd8c43af58d2ebef"
        },
        {
          "url": "https://git.kernel.org/stable/c/ce2f26e73783b4a7c46a86e3af5b5c8de0971790"
        }
      ],
      "title": "ext4: avoid journaling sb update on error if journal is destroying",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22113",
    "datePublished": "2025-04-16T14:12:59.228Z",
    "dateReserved": "2024-12-29T08:45:45.821Z",
    "dateUpdated": "2025-09-09T17:05:50.940Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37838 (GCVE-0-2025-37838)

Vulnerability from cvelistv5 – Published: 2025-04-18 14:20 – Updated: 2026-01-02 15:29

Title

HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition

Summary

In the Linux kernel, the following vulnerability has been resolved: HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition In the ssi_protocol_probe() function, &ssi->work is bound with ssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function within the ssip_pn_ops structure is capable of starting the work. If we remove the module which will call ssi_protocol_remove() to make a cleanup, it will free ssi through kfree(ssi), while the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | ssip_xmit_work ssi_protocol_remove | kfree(ssi); | | struct hsi_client *cl = ssi->cl; | // use ssi Fix it by ensuring that the work is canceled before proceeding with the cleanup in ssi_protocol_remove().

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d03abc1c2b2132455…
	https://git.kernel.org/stable/c/4a8c29beb8a02b5a0…
	https://git.kernel.org/stable/c/72972552d0d0bfeb2…
	https://git.kernel.org/stable/c/d58493832e284f066…
	https://git.kernel.org/stable/c/58eb29dba712ab0f1…
	https://git.kernel.org/stable/c/ae5a6a0b425e8f76a…
	https://git.kernel.org/stable/c/834e602d0cc7c743b…
	https://git.kernel.org/stable/c/4b4194c9a7a8f92db…
	https://git.kernel.org/stable/c/e3f88665a78045fe3…

Impacted products

Vendor

Product

Version

Linux

Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < d03abc1c2b21324550fa71e12d53e7d3498e0af6 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 72972552d0d0bfeb2dec5daf343a19018db36ffa (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < d58493832e284f066e559b8da5ab20c15a2801d3 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 58eb29dba712ab0f13af59ca2fe545f5ce360e78 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < ae5a6a0b425e8f76a9f0677e50796e494e89b088 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 834e602d0cc7c743bfce734fad4a46cefc0f9ab1 (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < 4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f (git)
Affected: df26d639e2f4628732a8da5a0f71e4e652ce809b , < e3f88665a78045fe35c7669d2926b8d97b892c11 (git)

Linux

Affected: 4.8
Unaffected: 0 , < 4.8 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-37838",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T14:38:43.871416Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T14:41:43.037Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:09.541Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hsi/clients/ssi_protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d03abc1c2b21324550fa71e12d53e7d3498e0af6",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "72972552d0d0bfeb2dec5daf343a19018db36ffa",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "d58493832e284f066e559b8da5ab20c15a2801d3",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "58eb29dba712ab0f13af59ca2fe545f5ce360e78",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "ae5a6a0b425e8f76a9f0677e50796e494e89b088",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "834e602d0cc7c743bfce734fad4a46cefc0f9ab1",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            },
            {
              "lessThan": "e3f88665a78045fe35c7669d2926b8d97b892c11",
              "status": "affected",
              "version": "df26d639e2f4628732a8da5a0f71e4e652ce809b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hsi/clients/ssi_protocol.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.8"
            },
            {
              "lessThan": "4.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition\n\nIn the ssi_protocol_probe() function, \u0026ssi-\u003ework is bound with\nssip_xmit_work(), In ssip_pn_setup(), the ssip_pn_xmit() function\nwithin the ssip_pn_ops structure is capable of starting the\nwork.\n\nIf we remove the module which will call ssi_protocol_remove()\nto make a cleanup, it will free ssi through kfree(ssi),\nwhile the work mentioned above will be used. The sequence\nof operations that may lead to a UAF bug is as follows:\n\nCPU0                                    CPU1\n\n                        | ssip_xmit_work\nssi_protocol_remove     |\nkfree(ssi);             |\n                        | struct hsi_client *cl = ssi-\u003ecl;\n                        | // use ssi\n\nFix it by ensuring that the work is canceled before proceeding\nwith the cleanup in ssi_protocol_remove()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:12.021Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d03abc1c2b21324550fa71e12d53e7d3498e0af6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4a8c29beb8a02b5a0a9d77d608aa14b6f88a6b86"
        },
        {
          "url": "https://git.kernel.org/stable/c/72972552d0d0bfeb2dec5daf343a19018db36ffa"
        },
        {
          "url": "https://git.kernel.org/stable/c/d58493832e284f066e559b8da5ab20c15a2801d3"
        },
        {
          "url": "https://git.kernel.org/stable/c/58eb29dba712ab0f13af59ca2fe545f5ce360e78"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae5a6a0b425e8f76a9f0677e50796e494e89b088"
        },
        {
          "url": "https://git.kernel.org/stable/c/834e602d0cc7c743bfce734fad4a46cefc0f9ab1"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b4194c9a7a8f92db39e8e86c85f4fb12ebbec4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e3f88665a78045fe35c7669d2926b8d97b892c11"
        }
      ],
      "title": "HSI: ssi_protocol: Fix use after free vulnerability in ssi_protocol Driver Due to Race Condition",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37838",
    "datePublished": "2025-04-18T14:20:55.389Z",
    "dateReserved": "2025-04-16T04:51:23.952Z",
    "dateUpdated": "2026-01-02T15:29:12.021Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22078 (GCVE-0-2025-22078)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-05-26 05:17

Title

staging: vchiq_arm: Fix possible NPR of keep-alive thread

Summary

In the Linux kernel, the following vulnerability has been resolved: staging: vchiq_arm: Fix possible NPR of keep-alive thread In case vchiq_platform_conn_state_changed() is never called or fails before driver removal, ka_thread won't be a valid pointer to a task_struct. So do the necessary checks before calling kthread_stop to avoid a crash.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1817c4b8501199860…
	https://git.kernel.org/stable/c/a915c896f95a989a7…
	https://git.kernel.org/stable/c/bd38395b901327f77…
	https://git.kernel.org/stable/c/3db89bc6d973e2bca…

Impacted products

Vendor

Product

Version

Linux

Affected: 863a756aaf49ed23d25bbb1dad999a85f09e1836 , < 1817c4b85011998604e5ff9a80a6e01adb7e7e81 (git)
Affected: 863a756aaf49ed23d25bbb1dad999a85f09e1836 , < a915c896f95a989a7759a73f8c064f5dc3775175 (git)
Affected: 863a756aaf49ed23d25bbb1dad999a85f09e1836 , < bd38395b901327f77a82112f006240de22cf2ceb (git)
Affected: 863a756aaf49ed23d25bbb1dad999a85f09e1836 , < 3db89bc6d973e2bcaa852f6409c98c228f39a926 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1817c4b85011998604e5ff9a80a6e01adb7e7e81",
              "status": "affected",
              "version": "863a756aaf49ed23d25bbb1dad999a85f09e1836",
              "versionType": "git"
            },
            {
              "lessThan": "a915c896f95a989a7759a73f8c064f5dc3775175",
              "status": "affected",
              "version": "863a756aaf49ed23d25bbb1dad999a85f09e1836",
              "versionType": "git"
            },
            {
              "lessThan": "bd38395b901327f77a82112f006240de22cf2ceb",
              "status": "affected",
              "version": "863a756aaf49ed23d25bbb1dad999a85f09e1836",
              "versionType": "git"
            },
            {
              "lessThan": "3db89bc6d973e2bcaa852f6409c98c228f39a926",
              "status": "affected",
              "version": "863a756aaf49ed23d25bbb1dad999a85f09e1836",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/staging/vc04_services/interface/vchiq_arm/vchiq_arm.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nstaging: vchiq_arm: Fix possible NPR of keep-alive thread\n\nIn case vchiq_platform_conn_state_changed() is never called or fails before\ndriver removal, ka_thread won\u0027t be a valid pointer to a task_struct. So\ndo the necessary checks before calling kthread_stop to avoid a crash."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:59.735Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1817c4b85011998604e5ff9a80a6e01adb7e7e81"
        },
        {
          "url": "https://git.kernel.org/stable/c/a915c896f95a989a7759a73f8c064f5dc3775175"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd38395b901327f77a82112f006240de22cf2ceb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3db89bc6d973e2bcaa852f6409c98c228f39a926"
        }
      ],
      "title": "staging: vchiq_arm: Fix possible NPR of keep-alive thread",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22078",
    "datePublished": "2025-04-16T14:12:28.562Z",
    "dateReserved": "2024-12-29T08:45:45.815Z",
    "dateUpdated": "2025-05-26T05:17:59.735Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22015 (GCVE-0-2025-22015)

Vulnerability from cvelistv5 – Published: 2025-04-08 08:18 – Updated: 2025-11-03 19:41

Title

mm/migrate: fix shmem xarray update during migration

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/migrate: fix shmem xarray update during migration A shmem folio can be either in page cache or in swap cache, but not at the same time. Namely, once it is in swap cache, folio->mapping should be NULL, and the folio is no longer in a shmem mapping. In __folio_migrate_mapping(), to determine the number of xarray entries to update, folio_test_swapbacked() is used, but that conflates shmem in page cache case and shmem in swap cache case. It leads to xarray multi-index entry corruption, since it turns a sibling entry to a normal entry during xas_store() (see [1] for a userspace reproduction). Fix it by only using folio_test_swapcache() to determine whether xarray is storing swap cache entries or not to choose the right number of xarray entries to update. [1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/ Note: In __split_huge_page(), folio_test_anon() && folio_test_swapcache() is used to get swap_cache address space, but that ignores the shmem folio in swap cache case. It could lead to NULL pointer dereferencing when a in-swap-cache shmem folio is split at __xa_store(), since !folio_test_anon() is true and folio->mapping is NULL. But fortunately, its caller split_huge_page_to_list_to_order() bails out early with EBUSY when folio->mapping is NULL. So no need to take care of it here.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/49100c0b070e900f8…
	https://git.kernel.org/stable/c/29124ae980e2860f0…
	https://git.kernel.org/stable/c/c057ee03f751d6cec…
	https://git.kernel.org/stable/c/75cfb92eb63298d71…
	https://git.kernel.org/stable/c/60cf233b585cdf1f3…

Impacted products

Vendor

Product

Version

Linux

Affected: be72d197b2281e2ee3f28017fc9be1ab17e26d16 , < 49100c0b070e900f87c8fac3be9b9ef8a30fa673 (git)
Affected: 07550b1461d4d0499165e7d6f7718cfd0e440427 , < 29124ae980e2860f0eec7355949d3d3292ee81da (git)
Affected: fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c , < c057ee03f751d6cecf7ee64f52f6545d94082aaa (git)
Affected: fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c , < 75cfb92eb63298d717b6b0118f91ba12c4fcfeb5 (git)
Affected: fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c , < 60cf233b585cdf1f3c5e52d1225606b86acd08b0 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:00.297Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/migrate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "49100c0b070e900f87c8fac3be9b9ef8a30fa673",
              "status": "affected",
              "version": "be72d197b2281e2ee3f28017fc9be1ab17e26d16",
              "versionType": "git"
            },
            {
              "lessThan": "29124ae980e2860f0eec7355949d3d3292ee81da",
              "status": "affected",
              "version": "07550b1461d4d0499165e7d6f7718cfd0e440427",
              "versionType": "git"
            },
            {
              "lessThan": "c057ee03f751d6cecf7ee64f52f6545d94082aaa",
              "status": "affected",
              "version": "fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c",
              "versionType": "git"
            },
            {
              "lessThan": "75cfb92eb63298d717b6b0118f91ba12c4fcfeb5",
              "status": "affected",
              "version": "fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c",
              "versionType": "git"
            },
            {
              "lessThan": "60cf233b585cdf1f3c5e52d1225606b86acd08b0",
              "status": "affected",
              "version": "fc346d0a70a13d52fe1c4bc49516d83a42cd7c4c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/migrate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.1.71",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "6.6.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/migrate: fix shmem xarray update during migration\n\nA shmem folio can be either in page cache or in swap cache, but not at the\nsame time.  Namely, once it is in swap cache, folio-\u003emapping should be\nNULL, and the folio is no longer in a shmem mapping.\n\nIn __folio_migrate_mapping(), to determine the number of xarray entries to\nupdate, folio_test_swapbacked() is used, but that conflates shmem in page\ncache case and shmem in swap cache case.  It leads to xarray multi-index\nentry corruption, since it turns a sibling entry to a normal entry during\nxas_store() (see [1] for a userspace reproduction).  Fix it by only using\nfolio_test_swapcache() to determine whether xarray is storing swap cache\nentries or not to choose the right number of xarray entries to update.\n\n[1] https://lore.kernel.org/linux-mm/Z8idPCkaJW1IChjT@casper.infradead.org/\n\nNote:\nIn __split_huge_page(), folio_test_anon() \u0026\u0026 folio_test_swapcache() is\nused to get swap_cache address space, but that ignores the shmem folio in\nswap cache case.  It could lead to NULL pointer dereferencing when a\nin-swap-cache shmem folio is split at __xa_store(), since\n!folio_test_anon() is true and folio-\u003emapping is NULL.  But fortunately,\nits caller split_huge_page_to_list_to_order() bails out early with EBUSY\nwhen folio-\u003emapping is NULL.  So no need to take care of it here."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:44.695Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/49100c0b070e900f87c8fac3be9b9ef8a30fa673"
        },
        {
          "url": "https://git.kernel.org/stable/c/29124ae980e2860f0eec7355949d3d3292ee81da"
        },
        {
          "url": "https://git.kernel.org/stable/c/c057ee03f751d6cecf7ee64f52f6545d94082aaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/75cfb92eb63298d717b6b0118f91ba12c4fcfeb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/60cf233b585cdf1f3c5e52d1225606b86acd08b0"
        }
      ],
      "title": "mm/migrate: fix shmem xarray update during migration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22015",
    "datePublished": "2025-04-08T08:18:05.287Z",
    "dateReserved": "2024-12-29T08:45:45.806Z",
    "dateUpdated": "2025-11-03T19:41:00.297Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-3640 (GCVE-0-2022-3640)

Vulnerability from cvelistv5 – Published: 2022-10-21 00:00 – Updated: 2024-08-03 01:14

Title

Linux Kernel Bluetooth l2cap_core.c l2cap_conn_del use after free

Summary

A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-119 - Memory Corruption -> CWE-416 Use After Free

Assigner

VulDB

References

URL

Tags

	https://git.kernel.org/pub/scm/linux/kernel/git/b…
	https://vuldb.com/?id.211944
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.fedoraproject.org/archives/list/pac…	vendor-advisory
	https://lists.debian.org/debian-lts-announce/2022…	mailing-list
	https://lists.debian.org/debian-lts-announce/2022…	mailing-list

Impacted products

	Vendor	Product	Version
	Linux	Kernel	Affected: n/a

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-03T01:14:03.216Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=42cf46dea905a80f6de218e837ba4d4cc33d6979"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.211944"
          },
          {
            "name": "FEDORA-2022-64ab9153c0",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD7VWUT7YAU4CJ247IF44NGVOAODAJGC/"
          },
          {
            "name": "FEDORA-2022-65a0a3504a",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGOIRR72OAFE53XZRUDZDP7INGLIC3E3/"
          },
          {
            "name": "FEDORA-2022-7aadaadebc",
            "tags": [
              "vendor-advisory",
              "x_transferred"
            ],
            "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG2UPX3MQ7RKRJEUMGEH2TLPKZJCBU5C/"
          },
          {
            "name": "[debian-lts-announce] 20221222 [SECURITY] [DLA 3244-1] linux-5.10 security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html"
          },
          {
            "name": "[debian-lts-announce] 20221223 [SECURITY] [DLA 3245-1] linux security update",
            "tags": [
              "mailing-list",
              "x_transferred"
            ],
            "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Kernel",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability, which was classified as critical, was found in Linux Kernel. Affected is the function l2cap_conn_del of the file net/bluetooth/l2cap_core.c of the component Bluetooth. The manipulation leads to use after free. It is recommended to apply a patch to fix this issue. The identifier of this vulnerability is VDB-211944."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "ADJACENT_NETWORK",
            "availabilityImpact": "LOW",
            "baseScore": 5.5,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-119",
              "description": "CWE-119 Memory Corruption -\u003e CWE-416 Use After Free",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-12-24T00:00:00",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "url": "https://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next.git/commit/?id=42cf46dea905a80f6de218e837ba4d4cc33d6979"
        },
        {
          "url": "https://vuldb.com/?id.211944"
        },
        {
          "name": "FEDORA-2022-64ab9153c0",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/OD7VWUT7YAU4CJ247IF44NGVOAODAJGC/"
        },
        {
          "name": "FEDORA-2022-65a0a3504a",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/DGOIRR72OAFE53XZRUDZDP7INGLIC3E3/"
        },
        {
          "name": "FEDORA-2022-7aadaadebc",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/XG2UPX3MQ7RKRJEUMGEH2TLPKZJCBU5C/"
        },
        {
          "name": "[debian-lts-announce] 20221222 [SECURITY] [DLA 3244-1] linux-5.10 security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00031.html"
        },
        {
          "name": "[debian-lts-announce] 20221223 [SECURITY] [DLA 3245-1] linux security update",
          "tags": [
            "mailing-list"
          ],
          "url": "https://lists.debian.org/debian-lts-announce/2022/12/msg00034.html"
        }
      ],
      "title": "Linux Kernel Bluetooth l2cap_core.c l2cap_conn_del use after free",
      "x_generator": "vuldb.com"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2022-3640",
    "datePublished": "2022-10-21T00:00:00",
    "dateReserved": "2022-10-21T00:00:00",
    "dateUpdated": "2024-08-03T01:14:03.216Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21970 (GCVE-0-2025-21970)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-11-03 19:40

Title

net/mlx5: Bridge, fix the crash caused by LAG state check

Summary

In the Linux kernel, the following vulnerability has been resolved: net/mlx5: Bridge, fix the crash caused by LAG state check When removing LAG device from bridge, NETDEV_CHANGEUPPER event is triggered. Driver finds the lower devices (PFs) to flush all the offloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns false if one of PF is unloaded. In such case, mlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of the alive PF, and the flush is skipped. Besides, the bridge fdb entry's lastuse is updated in mlx5 bridge event handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be ignored in this case because the upper interface for bond is deleted, and the entry will never be aged because lastuse is never updated. To make things worse, as the entry is alive, mlx5 bridge workqueue keeps sending that event, which is then handled by kernel bridge notifier. It causes the following crash when accessing the passed bond netdev which is already destroyed. To fix this issue, remove such checks. LAG state is already checked in commit 15f8f168952f ("net/mlx5: Bridge, verify LAG state when adding bond to bridge"), driver still need to skip offload if LAG becomes invalid state after initialization. Oops: stack segment: 0000 [#1] SMP CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G OE 6.11.0_mlnx #1 Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core] RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge] Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 <4c> 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7 RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297 RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0 RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8 R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60 R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000 FS: 0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 PKRU: 55555554 Call Trace: <TASK> ? __die_body+0x1a/0x60 ? die+0x38/0x60 ? do_trap+0x10b/0x120 ? do_error_trap+0x64/0xa0 ? exc_stack_segment+0x33/0x50 ? asm_exc_stack_segment+0x22/0x30 ? br_switchdev_event+0x2c/0x110 [bridge] ? sched_balance_newidle.isra.149+0x248/0x390 notifier_call_chain+0x4b/0xa0 atomic_notifier_call_chain+0x16/0x20 mlx5_esw_bridge_update+0xec/0x170 [mlx5_core] mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core] process_scheduled_works+0x81/0x390 worker_thread+0x106/0x250 ? bh_worker+0x110/0x110 kthread+0xb7/0xe0 ? kthread_park+0x80/0x80 ret_from_fork+0x2d/0x50 ? kthread_park+0x80/0x80 ret_from_fork_asm+0x11/0x20 </TASK>

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f90c4d6572488e2ba…
	https://git.kernel.org/stable/c/86ff45f5f61ae1d0d…
	https://git.kernel.org/stable/c/bd7e3a42800743a77…
	https://git.kernel.org/stable/c/f7bf259a04271165a…
	https://git.kernel.org/stable/c/5dd8bf6ab1d6db40f…
	https://git.kernel.org/stable/c/4b8eeed4fb105770c…

Impacted products

Vendor

Product

Version

Linux

Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < f90c4d6572488e2bad38cca00f1c59174a538a1a (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < 86ff45f5f61ae1d0d17f0f6d8797b052eacfd8f1 (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < bd7e3a42800743a7748c83243e4cafc1b995d4c4 (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < f7bf259a04271165ae667ad21cfc60c6413f25ca (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < 5dd8bf6ab1d6db40f5d09603759fa88caec19e7f (git)
Affected: ff9b7521468bc2909293c1cda66a245a49688f6f , < 4b8eeed4fb105770ce6dc84a2c6ef953c7b71cbb (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:11.287Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f90c4d6572488e2bad38cca00f1c59174a538a1a",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "86ff45f5f61ae1d0d17f0f6d8797b052eacfd8f1",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "bd7e3a42800743a7748c83243e4cafc1b995d4c4",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "f7bf259a04271165ae667ad21cfc60c6413f25ca",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "5dd8bf6ab1d6db40f5d09603759fa88caec19e7f",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            },
            {
              "lessThan": "4b8eeed4fb105770ce6dc84a2c6ef953c7b71cbb",
              "status": "affected",
              "version": "ff9b7521468bc2909293c1cda66a245a49688f6f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/mellanox/mlx5/core/en/rep/bridge.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5: Bridge, fix the crash caused by LAG state check\n\nWhen removing LAG device from bridge, NETDEV_CHANGEUPPER event is\ntriggered. Driver finds the lower devices (PFs) to flush all the\noffloaded entries. And mlx5_lag_is_shared_fdb is checked, it returns\nfalse if one of PF is unloaded. In such case,\nmlx5_esw_bridge_lag_rep_get() and its caller return NULL, instead of\nthe alive PF, and the flush is skipped.\n\nBesides, the bridge fdb entry\u0027s lastuse is updated in mlx5 bridge\nevent handler. But this SWITCHDEV_FDB_ADD_TO_BRIDGE event can be\nignored in this case because the upper interface for bond is deleted,\nand the entry will never be aged because lastuse is never updated.\n\nTo make things worse, as the entry is alive, mlx5 bridge workqueue\nkeeps sending that event, which is then handled by kernel bridge\nnotifier. It causes the following crash when accessing the passed bond\nnetdev which is already destroyed.\n\nTo fix this issue, remove such checks. LAG state is already checked in\ncommit 15f8f168952f (\"net/mlx5: Bridge, verify LAG state when adding\nbond to bridge\"), driver still need to skip offload if LAG becomes\ninvalid state after initialization.\n\n Oops: stack segment: 0000 [#1] SMP\n CPU: 3 UID: 0 PID: 23695 Comm: kworker/u40:3 Tainted: G           OE      6.11.0_mlnx #1\n Tainted: [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n Workqueue: mlx5_bridge_wq mlx5_esw_bridge_update_work [mlx5_core]\n RIP: 0010:br_switchdev_event+0x2c/0x110 [bridge]\n Code: 44 00 00 48 8b 02 48 f7 00 00 02 00 00 74 69 41 54 55 53 48 83 ec 08 48 8b a8 08 01 00 00 48 85 ed 74 4a 48 83 fe 02 48 89 d3 \u003c4c\u003e 8b 65 00 74 23 76 49 48 83 fe 05 74 7e 48 83 fe 06 75 2f 0f b7\n RSP: 0018:ffffc900092cfda0 EFLAGS: 00010297\n RAX: ffff888123bfe000 RBX: ffffc900092cfe08 RCX: 00000000ffffffff\n RDX: ffffc900092cfe08 RSI: 0000000000000001 RDI: ffffffffa0c585f0\n RBP: 6669746f6e690a30 R08: 0000000000000000 R09: ffff888123ae92c8\n R10: 0000000000000000 R11: fefefefefefefeff R12: ffff888123ae9c60\n R13: 0000000000000001 R14: ffffc900092cfe08 R15: 0000000000000000\n FS:  0000000000000000(0000) GS:ffff88852c980000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 00007f15914c8734 CR3: 0000000002830005 CR4: 0000000000770ef0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  ? __die_body+0x1a/0x60\n  ? die+0x38/0x60\n  ? do_trap+0x10b/0x120\n  ? do_error_trap+0x64/0xa0\n  ? exc_stack_segment+0x33/0x50\n  ? asm_exc_stack_segment+0x22/0x30\n  ? br_switchdev_event+0x2c/0x110 [bridge]\n  ? sched_balance_newidle.isra.149+0x248/0x390\n  notifier_call_chain+0x4b/0xa0\n  atomic_notifier_call_chain+0x16/0x20\n  mlx5_esw_bridge_update+0xec/0x170 [mlx5_core]\n  mlx5_esw_bridge_update_work+0x19/0x40 [mlx5_core]\n  process_scheduled_works+0x81/0x390\n  worker_thread+0x106/0x250\n  ? bh_worker+0x110/0x110\n  kthread+0xb7/0xe0\n  ? kthread_park+0x80/0x80\n  ret_from_fork+0x2d/0x50\n  ? kthread_park+0x80/0x80\n  ret_from_fork_asm+0x11/0x20\n  \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:02.649Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f90c4d6572488e2bad38cca00f1c59174a538a1a"
        },
        {
          "url": "https://git.kernel.org/stable/c/86ff45f5f61ae1d0d17f0f6d8797b052eacfd8f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/bd7e3a42800743a7748c83243e4cafc1b995d4c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f7bf259a04271165ae667ad21cfc60c6413f25ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/5dd8bf6ab1d6db40f5d09603759fa88caec19e7f"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b8eeed4fb105770ce6dc84a2c6ef953c7b71cbb"
        }
      ],
      "title": "net/mlx5: Bridge, fix the crash caused by LAG state check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21970",
    "datePublished": "2025-04-01T15:47:03.912Z",
    "dateReserved": "2024-12-29T08:45:45.797Z",
    "dateUpdated": "2025-11-03T19:40:11.287Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23152 (GCVE-0-2025-23152)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-05-26 05:19

Title

arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch() Fix a silly bug where an array was used outside of its scope.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bd9e1a03e579a01df…
	https://git.kernel.org/stable/c/d48b663f410f8b35b…

Impacted products

Vendor

Product

Version

Linux

Affected: 2051da858534a73589cdb27af914fe1c03b9ee98 , < bd9e1a03e579a01dfa66dbaa53d0219c33cbc463 (git)
Affected: 2051da858534a73589cdb27af914fe1c03b9ee98 , < d48b663f410f8b35b8ba9bd597bafaa00f53293b (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/lib/crc-t10dif-glue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bd9e1a03e579a01dfa66dbaa53d0219c33cbc463",
              "status": "affected",
              "version": "2051da858534a73589cdb27af914fe1c03b9ee98",
              "versionType": "git"
            },
            {
              "lessThan": "d48b663f410f8b35b8ba9bd597bafaa00f53293b",
              "status": "affected",
              "version": "2051da858534a73589cdb27af914fe1c03b9ee98",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/lib/crc-t10dif-glue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()\n\nFix a silly bug where an array was used outside of its scope."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:34.254Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bd9e1a03e579a01dfa66dbaa53d0219c33cbc463"
        },
        {
          "url": "https://git.kernel.org/stable/c/d48b663f410f8b35b8ba9bd597bafaa00f53293b"
        }
      ],
      "title": "arm64/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23152",
    "datePublished": "2025-05-01T12:55:39.454Z",
    "dateReserved": "2025-01-11T14:28:41.513Z",
    "dateUpdated": "2025-05-26T05:19:34.254Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23159 (GCVE-0-2025-23159)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-11-03 19:42

Title

media: venus: hfi: add a check to handle OOB in sfr region

Summary

In the Linux kernel, the following vulnerability has been resolved: media: venus: hfi: add a check to handle OOB in sfr region sfr->buf_size is in shared memory and can be modified by malicious user. OOB write is possible when the size is made higher than actual sfr data buffer. Cap the size to allocated size for such cases.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4dd109038d513b92d…
	https://git.kernel.org/stable/c/8879397c0da5e5ec1…
	https://git.kernel.org/stable/c/1b8fb257234e7d2d4…
	https://git.kernel.org/stable/c/4e95233af57715d81…
	https://git.kernel.org/stable/c/5af611c70fb889d46…
	https://git.kernel.org/stable/c/530f623f56a668079…
	https://git.kernel.org/stable/c/a062d8de0be5525ec…
	https://git.kernel.org/stable/c/d78a8388a27b265fc…
	https://git.kernel.org/stable/c/f4b211714bcc70eff…

Impacted products

Vendor

Product

Version

Linux

Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 4dd109038d513b92d4d33524ffc89ba32e02ba48 (git)
Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 8879397c0da5e5ec1515262995e82cdfd61b282a (git)
Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 1b8fb257234e7d2d4b3f48af07c5aa5e11c71634 (git)
Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 4e95233af57715d81830fe82b408c633edff59f4 (git)
Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 5af611c70fb889d46d2f654b8996746e59556750 (git)
Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < 530f623f56a6680792499a8404083e17f8ec51f4 (git)
Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < a062d8de0be5525ec8c52f070acf7607ec8cbfe4 (git)
Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < d78a8388a27b265fcb2b8d064f088168ac9356b0 (git)
Affected: d96d3f30c0f2f564f6922bf4ccdf4464992e31fb , < f4b211714bcc70effa60c34d9fa613d182e3ef1e (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:59.661Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_venus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4dd109038d513b92d4d33524ffc89ba32e02ba48",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "8879397c0da5e5ec1515262995e82cdfd61b282a",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "1b8fb257234e7d2d4b3f48af07c5aa5e11c71634",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "4e95233af57715d81830fe82b408c633edff59f4",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "5af611c70fb889d46d2f654b8996746e59556750",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "530f623f56a6680792499a8404083e17f8ec51f4",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "a062d8de0be5525ec8c52f070acf7607ec8cbfe4",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "d78a8388a27b265fcb2b8d064f088168ac9356b0",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            },
            {
              "lessThan": "f4b211714bcc70effa60c34d9fa613d182e3ef1e",
              "status": "affected",
              "version": "d96d3f30c0f2f564f6922bf4ccdf4464992e31fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/platform/qcom/venus/hfi_venus.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: venus: hfi: add a check to handle OOB in sfr region\n\nsfr-\u003ebuf_size is in shared memory and can be modified by malicious user.\nOOB write is possible when the size is made higher than actual sfr data\nbuffer. Cap the size to allocated size for such cases."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:43.236Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4dd109038d513b92d4d33524ffc89ba32e02ba48"
        },
        {
          "url": "https://git.kernel.org/stable/c/8879397c0da5e5ec1515262995e82cdfd61b282a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b8fb257234e7d2d4b3f48af07c5aa5e11c71634"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e95233af57715d81830fe82b408c633edff59f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5af611c70fb889d46d2f654b8996746e59556750"
        },
        {
          "url": "https://git.kernel.org/stable/c/530f623f56a6680792499a8404083e17f8ec51f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/a062d8de0be5525ec8c52f070acf7607ec8cbfe4"
        },
        {
          "url": "https://git.kernel.org/stable/c/d78a8388a27b265fcb2b8d064f088168ac9356b0"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4b211714bcc70effa60c34d9fa613d182e3ef1e"
        }
      ],
      "title": "media: venus: hfi: add a check to handle OOB in sfr region",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23159",
    "datePublished": "2025-05-01T12:55:44.695Z",
    "dateReserved": "2025-01-11T14:28:41.515Z",
    "dateUpdated": "2025-11-03T19:42:59.661Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21683 (GCVE-0-2025-21683)

Vulnerability from cvelistv5 – Published: 2025-01-31 11:25 – Updated: 2025-11-03 20:59

Title

bpf: Fix bpf_sk_select_reuseport() memory leak

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix bpf_sk_select_reuseport() memory leak As pointed out in the original comment, lookup in sockmap can return a TCP ESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF set before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb does not imply a non-refcounted socket. Drop sk's reference in both error paths. unreferenced object 0xffff888101911800 (size 2048): comm "test_progs", pid 44109, jiffies 4297131437 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 9336483b): __kmalloc_noprof+0x3bf/0x560 __reuseport_alloc+0x1d/0x40 reuseport_alloc+0xca/0x150 reuseport_attach_prog+0x87/0x140 sk_reuseport_attach_bpf+0xc8/0x100 sk_setsockopt+0x1181/0x1990 do_sock_setsockopt+0x12b/0x160 __sys_setsockopt+0x7b/0xc0 __x64_sys_setsockopt+0x1b/0x30 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/bb36838dac7bb334a…
	https://git.kernel.org/stable/c/0ab52a8ca6e156a64…
	https://git.kernel.org/stable/c/d0a3b3d1176d39218…
	https://git.kernel.org/stable/c/b02e70be498b138e9…
	https://git.kernel.org/stable/c/cccd51dd22574216e…
	https://git.kernel.org/stable/c/b3af60928ab9129be…

Impacted products

Vendor

Product

Version

Linux

Affected: 64d85290d79c0677edb5a8ee2295b36c022fa5df , < bb36838dac7bb334a3f3d7eb29875593ec9473fc (git)
Affected: 64d85290d79c0677edb5a8ee2295b36c022fa5df , < 0ab52a8ca6e156a64c51b5e7456cac9a0ebfd9bf (git)
Affected: 64d85290d79c0677edb5a8ee2295b36c022fa5df , < d0a3b3d1176d39218b8edb2a2d03164942ab9ccd (git)
Affected: 64d85290d79c0677edb5a8ee2295b36c022fa5df , < b02e70be498b138e9c21701c2f33f4018ca7cd5e (git)
Affected: 64d85290d79c0677edb5a8ee2295b36c022fa5df , < cccd51dd22574216e64e5d205489e634f86999f3 (git)
Affected: 64d85290d79c0677edb5a8ee2295b36c022fa5df , < b3af60928ab9129befa65e6df0310d27300942bf (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.127 , ≤ 6.1.* (semver)
Unaffected: 6.6.74 , ≤ 6.6.* (semver)
Unaffected: 6.12.11 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21683",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:51:47.465503Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:11.105Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:02.244Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "bb36838dac7bb334a3f3d7eb29875593ec9473fc",
              "status": "affected",
              "version": "64d85290d79c0677edb5a8ee2295b36c022fa5df",
              "versionType": "git"
            },
            {
              "lessThan": "0ab52a8ca6e156a64c51b5e7456cac9a0ebfd9bf",
              "status": "affected",
              "version": "64d85290d79c0677edb5a8ee2295b36c022fa5df",
              "versionType": "git"
            },
            {
              "lessThan": "d0a3b3d1176d39218b8edb2a2d03164942ab9ccd",
              "status": "affected",
              "version": "64d85290d79c0677edb5a8ee2295b36c022fa5df",
              "versionType": "git"
            },
            {
              "lessThan": "b02e70be498b138e9c21701c2f33f4018ca7cd5e",
              "status": "affected",
              "version": "64d85290d79c0677edb5a8ee2295b36c022fa5df",
              "versionType": "git"
            },
            {
              "lessThan": "cccd51dd22574216e64e5d205489e634f86999f3",
              "status": "affected",
              "version": "64d85290d79c0677edb5a8ee2295b36c022fa5df",
              "versionType": "git"
            },
            {
              "lessThan": "b3af60928ab9129befa65e6df0310d27300942bf",
              "status": "affected",
              "version": "64d85290d79c0677edb5a8ee2295b36c022fa5df",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/filter.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix bpf_sk_select_reuseport() memory leak\n\nAs pointed out in the original comment, lookup in sockmap can return a TCP\nESTABLISHED socket. Such TCP socket may have had SO_ATTACH_REUSEPORT_EBPF\nset before it was ESTABLISHED. In other words, a non-NULL sk_reuseport_cb\ndoes not imply a non-refcounted socket.\n\nDrop sk\u0027s reference in both error paths.\n\nunreferenced object 0xffff888101911800 (size 2048):\n  comm \"test_progs\", pid 44109, jiffies 4297131437\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    80 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 9336483b):\n    __kmalloc_noprof+0x3bf/0x560\n    __reuseport_alloc+0x1d/0x40\n    reuseport_alloc+0xca/0x150\n    reuseport_attach_prog+0x87/0x140\n    sk_reuseport_attach_bpf+0xc8/0x100\n    sk_setsockopt+0x1181/0x1990\n    do_sock_setsockopt+0x12b/0x160\n    __sys_setsockopt+0x7b/0xc0\n    __x64_sys_setsockopt+0x1b/0x30\n    do_syscall_64+0x93/0x180\n    entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:58.841Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/bb36838dac7bb334a3f3d7eb29875593ec9473fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ab52a8ca6e156a64c51b5e7456cac9a0ebfd9bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/d0a3b3d1176d39218b8edb2a2d03164942ab9ccd"
        },
        {
          "url": "https://git.kernel.org/stable/c/b02e70be498b138e9c21701c2f33f4018ca7cd5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cccd51dd22574216e64e5d205489e634f86999f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3af60928ab9129befa65e6df0310d27300942bf"
        }
      ],
      "title": "bpf: Fix bpf_sk_select_reuseport() memory leak",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21683",
    "datePublished": "2025-01-31T11:25:42.903Z",
    "dateReserved": "2024-12-29T08:45:45.739Z",
    "dateUpdated": "2025-11-03T20:59:02.244Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37886 (GCVE-0-2025-37886)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:45 – Updated: 2025-05-26 05:23

Title

pds_core: make wait_context part of q_info

Summary

In the Linux kernel, the following vulnerability has been resolved: pds_core: make wait_context part of q_info Make the wait_context a full part of the q_info struct rather than a stack variable that goes away after pdsc_adminq_post() is done so that the context is still available after the wait loop has given up. There was a case where a slow development firmware caused the adminq request to time out, but then later the FW finally finished the request and sent the interrupt. The handler tried to complete_all() the completion context that had been created on the stack in pdsc_adminq_post() but no longer existed. This caused bad pointer usage, kernel crashes, and much wailing and gnashing of teeth.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1d7c4b2b0bbfb09b5…
	https://git.kernel.org/stable/c/66d7702b42ffdf0dc…
	https://git.kernel.org/stable/c/520f012fe75fb8efc…
	https://git.kernel.org/stable/c/3f77c3dfffc706342…

Impacted products

Vendor

Product

Version

Linux

Affected: 01ba61b55b2041a39c54aefb3153c770dd59a0ef , < 1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381 (git)
Affected: 01ba61b55b2041a39c54aefb3153c770dd59a0ef , < 66d7702b42ffdf0dce4808626088268a4e905ca6 (git)
Affected: 01ba61b55b2041a39c54aefb3153c770dd59a0ef , < 520f012fe75fb8efc9f16a57ef929a7a2115d892 (git)
Affected: 01ba61b55b2041a39c54aefb3153c770dd59a0ef , < 3f77c3dfffc7063428b100c4945ca2a7a8680380 (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/amd/pds_core/adminq.c",
            "drivers/net/ethernet/amd/pds_core/core.c",
            "drivers/net/ethernet/amd/pds_core/core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "66d7702b42ffdf0dce4808626088268a4e905ca6",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "520f012fe75fb8efc9f16a57ef929a7a2115d892",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            },
            {
              "lessThan": "3f77c3dfffc7063428b100c4945ca2a7a8680380",
              "status": "affected",
              "version": "01ba61b55b2041a39c54aefb3153c770dd59a0ef",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/amd/pds_core/adminq.c",
            "drivers/net/ethernet/amd/pds_core/core.c",
            "drivers/net/ethernet/amd/pds_core/core.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npds_core: make wait_context part of q_info\n\nMake the wait_context a full part of the q_info struct rather\nthan a stack variable that goes away after pdsc_adminq_post()\nis done so that the context is still available after the wait\nloop has given up.\n\nThere was a case where a slow development firmware caused\nthe adminq request to time out, but then later the FW finally\nfinished the request and sent the interrupt.  The handler tried\nto complete_all() the completion context that had been created\non the stack in pdsc_adminq_post() but no longer existed.\nThis caused bad pointer usage, kernel crashes, and much wailing\nand gnashing of teeth."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:23:03.001Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1d7c4b2b0bbfb09b55b2dc0e2355d7936bf89381"
        },
        {
          "url": "https://git.kernel.org/stable/c/66d7702b42ffdf0dce4808626088268a4e905ca6"
        },
        {
          "url": "https://git.kernel.org/stable/c/520f012fe75fb8efc9f16a57ef929a7a2115d892"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f77c3dfffc7063428b100c4945ca2a7a8680380"
        }
      ],
      "title": "pds_core: make wait_context part of q_info",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37886",
    "datePublished": "2025-05-09T06:45:48.810Z",
    "dateReserved": "2025-04-16T04:51:23.963Z",
    "dateUpdated": "2025-05-26T05:23:03.001Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21977 (GCVE-0-2025-21977)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-05-04 07:26

Title

fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs

Summary

In the Linux kernel, the following vulnerability has been resolved: fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs Gen 2 Hyper-V VMs boot via EFI and have a standard EFI framebuffer device. When the kdump kernel runs in such a VM, loading the efifb driver may hang because of accessing the framebuffer at the wrong memory address. The scenario occurs when the hyperv_fb driver in the original kernel moves the framebuffer to a different MMIO address because of conflicts with an already-running efifb or simplefb driver. The hyperv_fb driver then informs Hyper-V of the change, which is allowed by the Hyper-V FB VMBus device protocol. However, when the kexec command loads the kdump kernel into crash memory via the kexec_file_load() system call, the system call doesn't know the framebuffer has moved, and it sets up the kdump screen_info using the original framebuffer address. The transition to the kdump kernel does not go through the Hyper-V host, so Hyper-V does not reset the framebuffer address like it would do on a reboot. When efifb tries to run, it accesses a non-existent framebuffer address, which traps to the Hyper-V host. After many such accesses, the Hyper-V host thinks the guest is being malicious, and throttles the guest to the point that it runs very slowly or appears to have hung. When the kdump kernel is loaded into crash memory via the kexec_load() system call, the problem does not occur. In this case, the kexec command builds the screen_info table itself in user space from data returned by the FBIOGET_FSCREENINFO ioctl against /dev/fb0, which gives it the new framebuffer location. This problem was originally reported in 2020 [1], resulting in commit 3cb73bc3fa2a ("hyperv_fb: Update screen_info after removing old framebuffer"). This commit solved the problem by setting orig_video_isVGA to 0, so the kdump kernel was unaware of the EFI framebuffer. The efifb driver did not try to load, and no hang occurred. But in 2024, commit c25a19afb81c ("fbdev/hyperv_fb: Do not clear global screen_info") effectively reverted 3cb73bc3fa2a. Commit c25a19afb81c has no reference to 3cb73bc3fa2a, so perhaps it was done without knowing the implications that were reported with 3cb73bc3fa2a. In any case, as of commit c25a19afb81c, the original problem came back again. Interestingly, the hyperv_drm driver does not have this problem because it never moves the framebuffer. The difference is that the hyperv_drm driver removes any conflicting framebuffers *before* allocating an MMIO address, while the hyperv_fb drivers removes conflicting framebuffers *after* allocating an MMIO address. With the "after" ordering, hyperv_fb may encounter a conflict and move the framebuffer to a different MMIO address. But the conflict is essentially bogus because it is removed a few lines of code later. Rather than fix the problem with the approach from 2020 in commit 3cb73bc3fa2a, instead slightly reorder the steps in hyperv_fb so conflicting framebuffers are removed before allocating an MMIO address. Then the default framebuffer MMIO address should always be available, and there's never any confusion about which framebuffer address the kdump kernel should use -- it's always the original address provided by the Hyper-V host. This approach is already used by the hyperv_drm driver, and is consistent with the usage guidelines at the head of the module with the function aperture_remove_conflicting_devices(). This approach also solves a related minor problem when kexec_load() is used to load the kdump kernel. With current code, unbinding and rebinding the hyperv_fb driver could result in the framebuffer moving back to the default framebuffer address, because on the rebind there are no conflicts. If such a move is done after the kdump kernel is loaded with the new framebuffer address, at kdump time it could again have the wrong address. This problem and fix are described in terms of the kdump kernel, but it can also occur ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cfffe46a994ac6d5d…
	https://git.kernel.org/stable/c/2924802d35e00a36b…
	https://git.kernel.org/stable/c/304386373007aaca9…

Impacted products

Vendor

Product

Version

Linux

Affected: c25a19afb81cfd73dab494ba64f9a434cf1a4499 , < cfffe46a994ac6d5de3b119917680ea1e9a96125 (git)
Affected: c25a19afb81cfd73dab494ba64f9a434cf1a4499 , < 2924802d35e00a36b1503a4e786f1926b2fdc1d0 (git)
Affected: c25a19afb81cfd73dab494ba64f9a434cf1a4499 , < 304386373007aaca9236a3f36afac0bbedcd2bf0 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/hyperv_fb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cfffe46a994ac6d5de3b119917680ea1e9a96125",
              "status": "affected",
              "version": "c25a19afb81cfd73dab494ba64f9a434cf1a4499",
              "versionType": "git"
            },
            {
              "lessThan": "2924802d35e00a36b1503a4e786f1926b2fdc1d0",
              "status": "affected",
              "version": "c25a19afb81cfd73dab494ba64f9a434cf1a4499",
              "versionType": "git"
            },
            {
              "lessThan": "304386373007aaca9236a3f36afac0bbedcd2bf0",
              "status": "affected",
              "version": "c25a19afb81cfd73dab494ba64f9a434cf1a4499",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/fbdev/hyperv_fb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs\n\nGen 2 Hyper-V VMs boot via EFI and have a standard EFI framebuffer\ndevice. When the kdump kernel runs in such a VM, loading the efifb\ndriver may hang because of accessing the framebuffer at the wrong\nmemory address.\n\nThe scenario occurs when the hyperv_fb driver in the original kernel\nmoves the framebuffer to a different MMIO address because of conflicts\nwith an already-running efifb or simplefb driver. The hyperv_fb driver\nthen informs Hyper-V of the change, which is allowed by the Hyper-V FB\nVMBus device protocol. However, when the kexec command loads the kdump\nkernel into crash memory via the kexec_file_load() system call, the\nsystem call doesn\u0027t know the framebuffer has moved, and it sets up the\nkdump screen_info using the original framebuffer address. The transition\nto the kdump kernel does not go through the Hyper-V host, so Hyper-V\ndoes not reset the framebuffer address like it would do on a reboot.\nWhen efifb tries to run, it accesses a non-existent framebuffer\naddress, which traps to the Hyper-V host. After many such accesses,\nthe Hyper-V host thinks the guest is being malicious, and throttles\nthe guest to the point that it runs very slowly or appears to have hung.\n\nWhen the kdump kernel is loaded into crash memory via the kexec_load()\nsystem call, the problem does not occur. In this case, the kexec command\nbuilds the screen_info table itself in user space from data returned\nby the FBIOGET_FSCREENINFO ioctl against /dev/fb0, which gives it the\nnew framebuffer location.\n\nThis problem was originally reported in 2020 [1], resulting in commit\n3cb73bc3fa2a (\"hyperv_fb: Update screen_info after removing old\nframebuffer\"). This commit solved the problem by setting orig_video_isVGA\nto 0, so the kdump kernel was unaware of the EFI framebuffer. The efifb\ndriver did not try to load, and no hang occurred. But in 2024, commit\nc25a19afb81c (\"fbdev/hyperv_fb: Do not clear global screen_info\")\neffectively reverted 3cb73bc3fa2a. Commit c25a19afb81c has no reference\nto 3cb73bc3fa2a, so perhaps it was done without knowing the implications\nthat were reported with 3cb73bc3fa2a. In any case, as of commit\nc25a19afb81c, the original problem came back again.\n\nInterestingly, the hyperv_drm driver does not have this problem because\nit never moves the framebuffer. The difference is that the hyperv_drm\ndriver removes any conflicting framebuffers *before* allocating an MMIO\naddress, while the hyperv_fb drivers removes conflicting framebuffers\n*after* allocating an MMIO address. With the \"after\" ordering, hyperv_fb\nmay encounter a conflict and move the framebuffer to a different MMIO\naddress. But the conflict is essentially bogus because it is removed\na few lines of code later.\n\nRather than fix the problem with the approach from 2020 in commit\n3cb73bc3fa2a, instead slightly reorder the steps in hyperv_fb so\nconflicting framebuffers are removed before allocating an MMIO address.\nThen the default framebuffer MMIO address should always be available, and\nthere\u0027s never any confusion about which framebuffer address the kdump\nkernel should use -- it\u0027s always the original address provided by\nthe Hyper-V host. This approach is already used by the hyperv_drm\ndriver, and is consistent with the usage guidelines at the head of\nthe module with the function aperture_remove_conflicting_devices().\n\nThis approach also solves a related minor problem when kexec_load()\nis used to load the kdump kernel. With current code, unbinding and\nrebinding the hyperv_fb driver could result in the framebuffer moving\nback to the default framebuffer address, because on the rebind there\nare no conflicts. If such a move is done after the kdump kernel is\nloaded with the new framebuffer address, at kdump time it could again\nhave the wrong address.\n\nThis problem and fix are described in terms of the kdump kernel, but\nit can also occur\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:26.566Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cfffe46a994ac6d5de3b119917680ea1e9a96125"
        },
        {
          "url": "https://git.kernel.org/stable/c/2924802d35e00a36b1503a4e786f1926b2fdc1d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/304386373007aaca9236a3f36afac0bbedcd2bf0"
        }
      ],
      "title": "fbdev: hyperv_fb: Fix hang in kdump kernel when on Hyper-V Gen 2 VMs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21977",
    "datePublished": "2025-04-01T15:47:07.642Z",
    "dateReserved": "2024-12-29T08:45:45.798Z",
    "dateUpdated": "2025-05-04T07:26:26.566Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-40114 (GCVE-0-2025-40114)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2025-10-01 14:47

Title

iio: light: Add check for array bounds in veml6075_read_int_time_ms

Summary

In the Linux kernel, the following vulnerability has been resolved: iio: light: Add check for array bounds in veml6075_read_int_time_ms The array contains only 5 elements, but the index calculated by veml6075_read_int_time_index can range from 0 to 7, which could lead to out-of-bounds access. The check prevents this issue. Coverity Issue CID 1574309: (#1 of 1): Out-of-bounds read (OVERRUN) overrun-local: Overrunning array veml6075_it_ms of 5 4-byte elements at element index 7 (byte offset 31) using index int_index (which evaluates to 7) This is hardening against potentially broken hardware. Good to have but not necessary to backport.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-129 - Improper Validation of Array Index

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7a40b52d4442178be…
	https://git.kernel.org/stable/c/18a08b5632809faa6…
	https://git.kernel.org/stable/c/9c40a68b7f97fa487…
	https://git.kernel.org/stable/c/ee735aa33db16c1fb…

Impacted products

Vendor

Product

Version

Linux

Affected: 3b82f43238aecd73464aeacc9c73407079511533 , < 7a40b52d4442178bee0cf1c36bc450ab951cef0f (git)
Affected: 3b82f43238aecd73464aeacc9c73407079511533 , < 18a08b5632809faa671279b3cd27d5f96cc5a3f0 (git)
Affected: 3b82f43238aecd73464aeacc9c73407079511533 , < 9c40a68b7f97fa487e6c7e67fcf4f846a1f96692 (git)
Affected: 3b82f43238aecd73464aeacc9c73407079511533 , < ee735aa33db16c1fb5ebccbaf84ad38f5583f3cc (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-40114",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T14:47:06.245210Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-129",
                "description": "CWE-129 Improper Validation of Array Index",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T14:47:33.777Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/veml6075.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7a40b52d4442178bee0cf1c36bc450ab951cef0f",
              "status": "affected",
              "version": "3b82f43238aecd73464aeacc9c73407079511533",
              "versionType": "git"
            },
            {
              "lessThan": "18a08b5632809faa671279b3cd27d5f96cc5a3f0",
              "status": "affected",
              "version": "3b82f43238aecd73464aeacc9c73407079511533",
              "versionType": "git"
            },
            {
              "lessThan": "9c40a68b7f97fa487e6c7e67fcf4f846a1f96692",
              "status": "affected",
              "version": "3b82f43238aecd73464aeacc9c73407079511533",
              "versionType": "git"
            },
            {
              "lessThan": "ee735aa33db16c1fb5ebccbaf84ad38f5583f3cc",
              "status": "affected",
              "version": "3b82f43238aecd73464aeacc9c73407079511533",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/iio/light/veml6075.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niio: light: Add check for array bounds in veml6075_read_int_time_ms\n\nThe array contains only 5 elements, but the index calculated by\nveml6075_read_int_time_index can range from 0 to 7,\nwhich could lead to out-of-bounds access. The check prevents this issue.\n\nCoverity Issue\nCID 1574309: (#1 of 1): Out-of-bounds read (OVERRUN)\noverrun-local: Overrunning array veml6075_it_ms of 5 4-byte\nelements at element index 7 (byte offset 31) using\nindex int_index (which evaluates to 7)\n\nThis is hardening against potentially broken hardware. Good to have\nbut not necessary to backport."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:25:36.607Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7a40b52d4442178bee0cf1c36bc450ab951cef0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/18a08b5632809faa671279b3cd27d5f96cc5a3f0"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c40a68b7f97fa487e6c7e67fcf4f846a1f96692"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee735aa33db16c1fb5ebccbaf84ad38f5583f3cc"
        }
      ],
      "title": "iio: light: Add check for array bounds in veml6075_read_int_time_ms",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-40114",
    "datePublished": "2025-04-18T07:01:40.964Z",
    "dateReserved": "2025-04-16T07:20:57.168Z",
    "dateUpdated": "2025-10-01T14:47:33.777Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22000 (GCVE-0-2025-22000)

Vulnerability from cvelistv5 – Published: 2025-04-03 07:19 – Updated: 2025-10-01 17:10

Title

mm/huge_memory: drop beyond-EOF folios with the right number of refs

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/huge_memory: drop beyond-EOF folios with the right number of refs When an after-split folio is large and needs to be dropped due to EOF, folio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all page cache refs. Otherwise, the folio will not be freed, causing memory leak. This leak would happen on a filesystem with blocksize > page_size and a truncate is performed, where the blocksize makes folios split to >0 order ones, causing truncated folios not being freed.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/86368616a9ce51f6b…
	https://git.kernel.org/stable/c/92ad820a1f2d95d5a…
	https://git.kernel.org/stable/c/14efb4793519d73fb…

Impacted products

Vendor

Product

Version

Linux

Affected: c010d47f107f609b9f4d6a103b6dfc53889049e9 , < 86368616a9ce51f6b41efa251b6e066893851d67 (git)
Affected: c010d47f107f609b9f4d6a103b6dfc53889049e9 , < 92ad820a1f2d95d5a8d6c2bd3f391bbb068a5f9e (git)
Affected: c010d47f107f609b9f4d6a103b6dfc53889049e9 , < 14efb4793519d73fb2902bb0ece319b886e4b4b9 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22000",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:10:40.636099Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:10:44.113Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86368616a9ce51f6b41efa251b6e066893851d67",
              "status": "affected",
              "version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
              "versionType": "git"
            },
            {
              "lessThan": "92ad820a1f2d95d5a8d6c2bd3f391bbb068a5f9e",
              "status": "affected",
              "version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
              "versionType": "git"
            },
            {
              "lessThan": "14efb4793519d73fb2902bb0ece319b886e4b4b9",
              "status": "affected",
              "version": "c010d47f107f609b9f4d6a103b6dfc53889049e9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/huge_memory.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/huge_memory: drop beyond-EOF folios with the right number of refs\n\nWhen an after-split folio is large and needs to be dropped due to EOF,\nfolio_put_refs(folio, folio_nr_pages(folio)) should be used to drop all\npage cache refs.  Otherwise, the folio will not be freed, causing memory\nleak.\n\nThis leak would happen on a filesystem with blocksize \u003e page_size and a\ntruncate is performed, where the blocksize makes folios split to \u003e0 order\nones, causing truncated folios not being freed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:10.706Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86368616a9ce51f6b41efa251b6e066893851d67"
        },
        {
          "url": "https://git.kernel.org/stable/c/92ad820a1f2d95d5a8d6c2bd3f391bbb068a5f9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/14efb4793519d73fb2902bb0ece319b886e4b4b9"
        }
      ],
      "title": "mm/huge_memory: drop beyond-EOF folios with the right number of refs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22000",
    "datePublished": "2025-04-03T07:19:03.652Z",
    "dateReserved": "2024-12-29T08:45:45.802Z",
    "dateUpdated": "2025-10-01T17:10:44.113Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37745 (GCVE-0-2025-37745)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2026-01-02 15:29

Title

PM: hibernate: Avoid deadlock in hibernate_compressor_param_set()

Summary

In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: Avoid deadlock in hibernate_compressor_param_set() syzbot reported a deadlock in lock_system_sleep() (see below). The write operation to "/sys/module/hibernate/parameters/compressor" conflicts with the registration of ieee80211 device, resulting in a deadlock when attempting to acquire system_transition_mutex under param_lock. To avoid this deadlock, change hibernate_compressor_param_set() to use mutex_trylock() for attempting to acquire system_transition_mutex and return -EBUSY when it fails. Task flags need not be saved or adjusted before calling mutex_trylock(&system_transition_mutex) because the caller is not going to end up waiting for this mutex and if it runs concurrently with system suspend in progress, it will be frozen properly when it returns to user space. syzbot report: syz-executor895/5833 is trying to acquire lock: ffffffff8e0828c8 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x87/0xa0 kernel/power/main.c:56 but task is already holding lock: ffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: kernel_param_lock kernel/params.c:607 [inline] ffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: param_attr_store+0xe6/0x300 kernel/params.c:586 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (param_lock){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730 ieee80211_rate_control_ops_get net/mac80211/rate.c:220 [inline] rate_control_alloc net/mac80211/rate.c:266 [inline] ieee80211_init_rate_ctrl_alg+0x18d/0x6b0 net/mac80211/rate.c:1015 ieee80211_register_hw+0x20cd/0x4060 net/mac80211/main.c:1531 mac80211_hwsim_new_radio+0x304e/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5558 init_mac80211_hwsim+0x432/0x8c0 drivers/net/wireless/virtual/mac80211_hwsim.c:6910 do_one_initcall+0x128/0x700 init/main.c:1257 do_initcall_level init/main.c:1319 [inline] do_initcalls init/main.c:1335 [inline] do_basic_setup init/main.c:1354 [inline] kernel_init_freeable+0x5c7/0x900 init/main.c:1568 kernel_init+0x1c/0x2b0 init/main.c:1457 ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 -> #2 (rtnl_mutex){+.+.}-{4:4}: __mutex_lock_common kernel/locking/mutex.c:585 [inline] __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730 wg_pm_notification drivers/net/wireguard/device.c:80 [inline] wg_pm_notification+0x49/0x180 drivers/net/wireguard/device.c:64 notifier_call_chain+0xb7/0x410 kernel/notifier.c:85 notifier_call_chain_robust kernel/notifier.c:120 [inline] blocking_notifier_call_chain_robust kernel/notifier.c:345 [inline] blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:333 pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102 snapshot_open+0x189/0x2b0 kernel/power/user.c:77 misc_open+0x35a/0x420 drivers/char/misc.c:179 chrdev_open+0x237/0x6a0 fs/char_dev.c:414 do_dentry_open+0x735/0x1c40 fs/open.c:956 vfs_open+0x82/0x3f0 fs/open.c:1086 do_open fs/namei.c:3830 [inline] path_openat+0x1e88/0x2d80 fs/namei.c:3989 do_filp_open+0x20c/0x470 fs/namei.c:4016 do_sys_openat2+0x17a/0x1e0 fs/open.c:1428 do_sys_open fs/open.c:1443 [inline] __do_sys_openat fs/open.c:1459 [inline] __se_sys_openat fs/open.c:1454 [inline] __x64_sys_openat+0x175/0x210 fs/open.c:1454 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f -> #1 ((pm_chain_head).rwsem){++++}-{4:4}: down_read+0x9a/0x330 kernel/locking/rwsem.c:1524 blocking_notifier_call_chain_robust kerne ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/11ae4fec1f4b4ee06…
	https://git.kernel.org/stable/c/6dbaa8583af74814a…
	https://git.kernel.org/stable/c/3b2c3806ef4253595…
	https://git.kernel.org/stable/c/52323ed1444ea5c2a…

Impacted products

Vendor

Product

Version

Linux

Affected: 3fec6e5961b77af6a952b77f5c2ea26f7513b216 , < 11ae4fec1f4b4ee06770a572c37d89cbaecbf66e (git)
Affected: 3fec6e5961b77af6a952b77f5c2ea26f7513b216 , < 6dbaa8583af74814a5aae03a337cb1722c414808 (git)
Affected: 3fec6e5961b77af6a952b77f5c2ea26f7513b216 , < 3b2c3806ef4253595dfcb8b58352cfab55c9bfb0 (git)
Affected: 3fec6e5961b77af6a952b77f5c2ea26f7513b216 , < 52323ed1444ea5c2a5f1754ea0a2d9c8c216ccdf (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/power/hibernate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "11ae4fec1f4b4ee06770a572c37d89cbaecbf66e",
              "status": "affected",
              "version": "3fec6e5961b77af6a952b77f5c2ea26f7513b216",
              "versionType": "git"
            },
            {
              "lessThan": "6dbaa8583af74814a5aae03a337cb1722c414808",
              "status": "affected",
              "version": "3fec6e5961b77af6a952b77f5c2ea26f7513b216",
              "versionType": "git"
            },
            {
              "lessThan": "3b2c3806ef4253595dfcb8b58352cfab55c9bfb0",
              "status": "affected",
              "version": "3fec6e5961b77af6a952b77f5c2ea26f7513b216",
              "versionType": "git"
            },
            {
              "lessThan": "52323ed1444ea5c2a5f1754ea0a2d9c8c216ccdf",
              "status": "affected",
              "version": "3fec6e5961b77af6a952b77f5c2ea26f7513b216",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/power/hibernate.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nPM: hibernate: Avoid deadlock in hibernate_compressor_param_set()\n\nsyzbot reported a deadlock in lock_system_sleep() (see below).\n\nThe write operation to \"/sys/module/hibernate/parameters/compressor\"\nconflicts with the registration of ieee80211 device, resulting in a deadlock\nwhen attempting to acquire system_transition_mutex under param_lock.\n\nTo avoid this deadlock, change hibernate_compressor_param_set() to use\nmutex_trylock() for attempting to acquire system_transition_mutex and\nreturn -EBUSY when it fails.\n\nTask flags need not be saved or adjusted before calling\nmutex_trylock(\u0026system_transition_mutex) because the caller is not going\nto end up waiting for this mutex and if it runs concurrently with system\nsuspend in progress, it will be frozen properly when it returns to user\nspace.\n\nsyzbot report:\n\nsyz-executor895/5833 is trying to acquire lock:\nffffffff8e0828c8 (system_transition_mutex){+.+.}-{4:4}, at: lock_system_sleep+0x87/0xa0 kernel/power/main.c:56\n\nbut task is already holding lock:\nffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: kernel_param_lock kernel/params.c:607 [inline]\nffffffff8e07dc68 (param_lock){+.+.}-{4:4}, at: param_attr_store+0xe6/0x300 kernel/params.c:586\n\nwhich lock already depends on the new lock.\n\nthe existing dependency chain (in reverse order) is:\n\n-\u003e #3 (param_lock){+.+.}-{4:4}:\n       __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n       __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730\n       ieee80211_rate_control_ops_get net/mac80211/rate.c:220 [inline]\n       rate_control_alloc net/mac80211/rate.c:266 [inline]\n       ieee80211_init_rate_ctrl_alg+0x18d/0x6b0 net/mac80211/rate.c:1015\n       ieee80211_register_hw+0x20cd/0x4060 net/mac80211/main.c:1531\n       mac80211_hwsim_new_radio+0x304e/0x54e0 drivers/net/wireless/virtual/mac80211_hwsim.c:5558\n       init_mac80211_hwsim+0x432/0x8c0 drivers/net/wireless/virtual/mac80211_hwsim.c:6910\n       do_one_initcall+0x128/0x700 init/main.c:1257\n       do_initcall_level init/main.c:1319 [inline]\n       do_initcalls init/main.c:1335 [inline]\n       do_basic_setup init/main.c:1354 [inline]\n       kernel_init_freeable+0x5c7/0x900 init/main.c:1568\n       kernel_init+0x1c/0x2b0 init/main.c:1457\n       ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:148\n       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n\n-\u003e #2 (rtnl_mutex){+.+.}-{4:4}:\n       __mutex_lock_common kernel/locking/mutex.c:585 [inline]\n       __mutex_lock+0x19b/0xb10 kernel/locking/mutex.c:730\n       wg_pm_notification drivers/net/wireguard/device.c:80 [inline]\n       wg_pm_notification+0x49/0x180 drivers/net/wireguard/device.c:64\n       notifier_call_chain+0xb7/0x410 kernel/notifier.c:85\n       notifier_call_chain_robust kernel/notifier.c:120 [inline]\n       blocking_notifier_call_chain_robust kernel/notifier.c:345 [inline]\n       blocking_notifier_call_chain_robust+0xc9/0x170 kernel/notifier.c:333\n       pm_notifier_call_chain_robust+0x27/0x60 kernel/power/main.c:102\n       snapshot_open+0x189/0x2b0 kernel/power/user.c:77\n       misc_open+0x35a/0x420 drivers/char/misc.c:179\n       chrdev_open+0x237/0x6a0 fs/char_dev.c:414\n       do_dentry_open+0x735/0x1c40 fs/open.c:956\n       vfs_open+0x82/0x3f0 fs/open.c:1086\n       do_open fs/namei.c:3830 [inline]\n       path_openat+0x1e88/0x2d80 fs/namei.c:3989\n       do_filp_open+0x20c/0x470 fs/namei.c:4016\n       do_sys_openat2+0x17a/0x1e0 fs/open.c:1428\n       do_sys_open fs/open.c:1443 [inline]\n       __do_sys_openat fs/open.c:1459 [inline]\n       __se_sys_openat fs/open.c:1454 [inline]\n       __x64_sys_openat+0x175/0x210 fs/open.c:1454\n       do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n       do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n       entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\n-\u003e #1 ((pm_chain_head).rwsem){++++}-{4:4}:\n       down_read+0x9a/0x330 kernel/locking/rwsem.c:1524\n       blocking_notifier_call_chain_robust kerne\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:00.805Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/11ae4fec1f4b4ee06770a572c37d89cbaecbf66e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6dbaa8583af74814a5aae03a337cb1722c414808"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b2c3806ef4253595dfcb8b58352cfab55c9bfb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/52323ed1444ea5c2a5f1754ea0a2d9c8c216ccdf"
        }
      ],
      "title": "PM: hibernate: Avoid deadlock in hibernate_compressor_param_set()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37745",
    "datePublished": "2025-05-01T12:55:52.679Z",
    "dateReserved": "2025-04-16T04:51:23.936Z",
    "dateUpdated": "2026-01-02T15:29:00.805Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-53144 (GCVE-0-2024-53144)

Vulnerability from cvelistv5 – Published: 2024-12-17 15:55 – Updated: 2025-11-03 22:29

Title

Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4 ("Bluetooth: Always request for user confirmation for Just Works") always request user confirmation with confirm_hint set since the likes of bluetoothd have dedicated policy around JUST_WORKS method (e.g. main.conf:JustWorksRepairing). CVE: CVE-2024-8805

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/baaa50c6f91ea5a9c…
	https://git.kernel.org/stable/c/22b49d6e4f399a390…
	https://git.kernel.org/stable/c/d17c631ba04e960eb…
	https://git.kernel.org/stable/c/830c03e58beb70b99…
	https://git.kernel.org/stable/c/ad7adfb95f64a761e…
	https://git.kernel.org/stable/c/5291ff856d2c5177b…
	https://git.kernel.org/stable/c/b25e11f978b63cb78…
	https://www.zerodayinitiative.com/advisories/ZDI-…

Impacted products

Vendor

Product

Version

Linux

Affected: ba15a58b179ed76a7e887177f2b06de12c58ec8f , < baaa50c6f91ea5a9c7503af51f2bc50e6568b66b (git)
Affected: ba15a58b179ed76a7e887177f2b06de12c58ec8f , < 22b49d6e4f399a390c70f3034f5fbacbb9413858 (git)
Affected: ba15a58b179ed76a7e887177f2b06de12c58ec8f , < d17c631ba04e960eb6f8728b10d585de20ac4f71 (git)
Affected: ba15a58b179ed76a7e887177f2b06de12c58ec8f , < 830c03e58beb70b99349760f822e505ecb4eeb7e (git)
Affected: ba15a58b179ed76a7e887177f2b06de12c58ec8f , < ad7adfb95f64a761e4784381e47bee1a362eb30d (git)
Affected: ba15a58b179ed76a7e887177f2b06de12c58ec8f , < 5291ff856d2c5177b4fe9c18828312be30213193 (git)
Affected: ba15a58b179ed76a7e887177f2b06de12c58ec8f , < b25e11f978b63cb7857890edb3a698599cddb10e (git)
Affected: 373d1dfcffc63c68184419264a7eaed422c7958e (git)
Affected: bc96ff59b2f19e924d9e15e24cee19723d674b92 (git)
Affected: 6ab84785311dc4d0348e6bd4e1c491293b770b98 (git)
Affected: 778763287ded64dd5c022435d3e0e3182f148a64 (git)
Affected: 9a5fcacabde0fe11456f4a1e88072c01846cea25 (git)
Affected: 039da39a616103ec7ab8ac351bfb317854e5507c (git)

Linux

Affected: 3.16
Unaffected: 0 , < 3.16 (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.113 , ≤ 6.1.* (semver)
Unaffected: 6.6.55 , ≤ 6.6.* (semver)
Unaffected: 6.10.14 , ≤ 6.10.* (semver)
Unaffected: 6.11.3 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:29:43.667Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "baaa50c6f91ea5a9c7503af51f2bc50e6568b66b",
              "status": "affected",
              "version": "ba15a58b179ed76a7e887177f2b06de12c58ec8f",
              "versionType": "git"
            },
            {
              "lessThan": "22b49d6e4f399a390c70f3034f5fbacbb9413858",
              "status": "affected",
              "version": "ba15a58b179ed76a7e887177f2b06de12c58ec8f",
              "versionType": "git"
            },
            {
              "lessThan": "d17c631ba04e960eb6f8728b10d585de20ac4f71",
              "status": "affected",
              "version": "ba15a58b179ed76a7e887177f2b06de12c58ec8f",
              "versionType": "git"
            },
            {
              "lessThan": "830c03e58beb70b99349760f822e505ecb4eeb7e",
              "status": "affected",
              "version": "ba15a58b179ed76a7e887177f2b06de12c58ec8f",
              "versionType": "git"
            },
            {
              "lessThan": "ad7adfb95f64a761e4784381e47bee1a362eb30d",
              "status": "affected",
              "version": "ba15a58b179ed76a7e887177f2b06de12c58ec8f",
              "versionType": "git"
            },
            {
              "lessThan": "5291ff856d2c5177b4fe9c18828312be30213193",
              "status": "affected",
              "version": "ba15a58b179ed76a7e887177f2b06de12c58ec8f",
              "versionType": "git"
            },
            {
              "lessThan": "b25e11f978b63cb7857890edb3a698599cddb10e",
              "status": "affected",
              "version": "ba15a58b179ed76a7e887177f2b06de12c58ec8f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "373d1dfcffc63c68184419264a7eaed422c7958e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bc96ff59b2f19e924d9e15e24cee19723d674b92",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6ab84785311dc4d0348e6bd4e1c491293b770b98",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "778763287ded64dd5c022435d3e0e3182f148a64",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9a5fcacabde0fe11456f4a1e88072c01846cea25",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "039da39a616103ec7ab8ac351bfb317854e5507c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/hci_event.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.16"
            },
            {
              "lessThan": "3.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.55",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.14",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.3",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "3.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.61",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.98",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.48",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.12.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.14.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.15.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE\n\nThis aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4\n(\"Bluetooth: Always request for user confirmation for Just Works\")\nalways request user confirmation with confirm_hint set since the\nlikes of bluetoothd have dedicated policy around JUST_WORKS method\n(e.g. main.conf:JustWorksRepairing).\n\nCVE: CVE-2024-8805"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:00:37.051Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/baaa50c6f91ea5a9c7503af51f2bc50e6568b66b"
        },
        {
          "url": "https://git.kernel.org/stable/c/22b49d6e4f399a390c70f3034f5fbacbb9413858"
        },
        {
          "url": "https://git.kernel.org/stable/c/d17c631ba04e960eb6f8728b10d585de20ac4f71"
        },
        {
          "url": "https://git.kernel.org/stable/c/830c03e58beb70b99349760f822e505ecb4eeb7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/ad7adfb95f64a761e4784381e47bee1a362eb30d"
        },
        {
          "url": "https://git.kernel.org/stable/c/5291ff856d2c5177b4fe9c18828312be30213193"
        },
        {
          "url": "https://git.kernel.org/stable/c/b25e11f978b63cb7857890edb3a698599cddb10e"
        },
        {
          "url": "https://www.zerodayinitiative.com/advisories/ZDI-24-1229/"
        }
      ],
      "title": "Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53144",
    "datePublished": "2024-12-17T15:55:03.394Z",
    "dateReserved": "2024-11-19T17:17:24.997Z",
    "dateUpdated": "2025-11-03T22:29:43.667Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38152 (GCVE-0-2025-38152)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2025-11-03 19:58

Title

remoteproc: core: Clear table_sz when rproc_shutdown

Summary

In the Linux kernel, the following vulnerability has been resolved: remoteproc: core: Clear table_sz when rproc_shutdown There is case as below could trigger kernel dump: Use U-Boot to start remote processor(rproc) with resource table published to a fixed address by rproc. After Kernel boots up, stop the rproc, load a new firmware which doesn't have resource table ,and start rproc. When starting rproc with a firmware not have resource table, `memcpy(loaded_table, rproc->cached_table, rproc->table_sz)` will trigger dump, because rproc->cache_table is set to NULL during the last stop operation, but rproc->table_sz is still valid. This issue is found on i.MX8MP and i.MX9. Dump as below: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000096000004 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 user pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000 [0000000000000000] pgd=0000000000000000, p4d=0000000000000000 Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP Modules linked in: CPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38 Hardware name: NXP i.MX8MPlus EVK board (DT) pstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : __pi_memcpy_generic+0x110/0x22c lr : rproc_start+0x88/0x1e0 Call trace: __pi_memcpy_generic+0x110/0x22c (P) rproc_boot+0x198/0x57c state_store+0x40/0x104 dev_attr_store+0x18/0x2c sysfs_kf_write+0x7c/0x94 kernfs_fop_write_iter+0x120/0x1cc vfs_write+0x240/0x378 ksys_write+0x70/0x108 __arm64_sys_write+0x1c/0x28 invoke_syscall+0x48/0x10c el0_svc_common.constprop.0+0xc0/0xe0 do_el0_svc+0x1c/0x28 el0_svc+0x30/0xcc el0t_64_sync_handler+0x10c/0x138 el0t_64_sync+0x198/0x19c Clear rproc->table_sz to address the issue.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6e66bca8cd51ebedd…
	https://git.kernel.org/stable/c/e6015ca453b82ec54…
	https://git.kernel.org/stable/c/7c6bb82a6f3da6ab2…
	https://git.kernel.org/stable/c/2df19f5f6f72da6f6…
	https://git.kernel.org/stable/c/8e0fd2a3b9852ac3c…
	https://git.kernel.org/stable/c/068f6648ff5b0c7ad…
	https://git.kernel.org/stable/c/efdde3d73ab25cef4…

Impacted products

Vendor

Product

Version

Linux

Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < 6e66bca8cd51ebedd5d32426906a38e4a3c69c5f (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < e6015ca453b82ec54aec9682dcc38773948fcc48 (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < 7c6bb82a6f3da6ab2d3fbea03901482231708b98 (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < 2df19f5f6f72da6f6ebab7cdb3a3b9f7686bb476 (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < 8e0fd2a3b9852ac3cf540edb06ccc0153b38b5af (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < 068f6648ff5b0c7adeb6c363fae7fb188aa178fa (git)
Affected: 9dc9507f1880fb6225e3e058cb5219b152cbf198 , < efdde3d73ab25cef4ff2d06783b0aad8b093c0e4 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-38152",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T16:14:04.666150Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T16:14:08.373Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:29.104Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/remoteproc/remoteproc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6e66bca8cd51ebedd5d32426906a38e4a3c69c5f",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "e6015ca453b82ec54aec9682dcc38773948fcc48",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "7c6bb82a6f3da6ab2d3fbea03901482231708b98",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "2df19f5f6f72da6f6ebab7cdb3a3b9f7686bb476",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "8e0fd2a3b9852ac3cf540edb06ccc0153b38b5af",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "068f6648ff5b0c7adeb6c363fae7fb188aa178fa",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            },
            {
              "lessThan": "efdde3d73ab25cef4ff2d06783b0aad8b093c0e4",
              "status": "affected",
              "version": "9dc9507f1880fb6225e3e058cb5219b152cbf198",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/remoteproc/remoteproc_core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nremoteproc: core: Clear table_sz when rproc_shutdown\n\nThere is case as below could trigger kernel dump:\nUse U-Boot to start remote processor(rproc) with resource table\npublished to a fixed address by rproc. After Kernel boots up,\nstop the rproc, load a new firmware which doesn\u0027t have resource table\n,and start rproc.\n\nWhen starting rproc with a firmware not have resource table,\n`memcpy(loaded_table, rproc-\u003ecached_table, rproc-\u003etable_sz)` will\ntrigger dump, because rproc-\u003ecache_table is set to NULL during the last\nstop operation, but rproc-\u003etable_sz is still valid.\n\nThis issue is found on i.MX8MP and i.MX9.\n\nDump as below:\nUnable to handle kernel NULL pointer dereference at virtual address 0000000000000000\nMem abort info:\n  ESR = 0x0000000096000004\n  EC = 0x25: DABT (current EL), IL = 32 bits\n  SET = 0, FnV = 0\n  EA = 0, S1PTW = 0\n  FSC = 0x04: level 0 translation fault\nData abort info:\n  ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000\n  CM = 0, WnR = 0, TnD = 0, TagAccess = 0\n  GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0\nuser pgtable: 4k pages, 48-bit VAs, pgdp=000000010af63000\n[0000000000000000] pgd=0000000000000000, p4d=0000000000000000\nInternal error: Oops: 0000000096000004 [#1] PREEMPT SMP\nModules linked in:\nCPU: 2 UID: 0 PID: 1060 Comm: sh Not tainted 6.14.0-rc7-next-20250317-dirty #38\nHardware name: NXP i.MX8MPlus EVK board (DT)\npstate: a0000005 (NzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)\npc : __pi_memcpy_generic+0x110/0x22c\nlr : rproc_start+0x88/0x1e0\nCall trace:\n __pi_memcpy_generic+0x110/0x22c (P)\n rproc_boot+0x198/0x57c\n state_store+0x40/0x104\n dev_attr_store+0x18/0x2c\n sysfs_kf_write+0x7c/0x94\n kernfs_fop_write_iter+0x120/0x1cc\n vfs_write+0x240/0x378\n ksys_write+0x70/0x108\n __arm64_sys_write+0x1c/0x28\n invoke_syscall+0x48/0x10c\n el0_svc_common.constprop.0+0xc0/0xe0\n do_el0_svc+0x1c/0x28\n el0_svc+0x30/0xcc\n el0t_64_sync_handler+0x10c/0x138\n el0t_64_sync+0x198/0x19c\n\nClear rproc-\u003etable_sz to address the issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:25:19.695Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6e66bca8cd51ebedd5d32426906a38e4a3c69c5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6015ca453b82ec54aec9682dcc38773948fcc48"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c6bb82a6f3da6ab2d3fbea03901482231708b98"
        },
        {
          "url": "https://git.kernel.org/stable/c/2df19f5f6f72da6f6ebab7cdb3a3b9f7686bb476"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e0fd2a3b9852ac3cf540edb06ccc0153b38b5af"
        },
        {
          "url": "https://git.kernel.org/stable/c/068f6648ff5b0c7adeb6c363fae7fb188aa178fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/efdde3d73ab25cef4ff2d06783b0aad8b093c0e4"
        }
      ],
      "title": "remoteproc: core: Clear table_sz when rproc_shutdown",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38152",
    "datePublished": "2025-04-18T07:01:31.714Z",
    "dateReserved": "2025-04-16T04:51:23.989Z",
    "dateUpdated": "2025-11-03T19:58:29.104Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21981 (GCVE-0-2025-21981)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-11-03 19:40

Title

ice: fix memory leak in aRFS after reset

Summary

In the Linux kernel, the following vulnerability has been resolved: ice: fix memory leak in aRFS after reset Fix aRFS (accelerated Receive Flow Steering) structures memory leak by adding a checker to verify if aRFS memory is already allocated while configuring VSI. aRFS objects are allocated in two cases: - as part of VSI initialization (at probe), and - as part of reset handling However, VSI reconfiguration executed during reset involves memory allocation one more time, without prior releasing already allocated resources. This led to the memory leak with the following signature: [root@os-delivery ~]# cat /sys/kernel/debug/kmemleak unreferenced object 0xff3c1ca7252e6000 (size 8192): comm "kworker/0:0", pid 8, jiffies 4296833052 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace (crc 0): [<ffffffff991ec485>] __kmalloc_cache_noprof+0x275/0x340 [<ffffffffc0a6e06a>] ice_init_arfs+0x3a/0xe0 [ice] [<ffffffffc09f1027>] ice_vsi_cfg_def+0x607/0x850 [ice] [<ffffffffc09f244b>] ice_vsi_setup+0x5b/0x130 [ice] [<ffffffffc09c2131>] ice_init+0x1c1/0x460 [ice] [<ffffffffc09c64af>] ice_probe+0x2af/0x520 [ice] [<ffffffff994fbcd3>] local_pci_probe+0x43/0xa0 [<ffffffff98f07103>] work_for_cpu_fn+0x13/0x20 [<ffffffff98f0b6d9>] process_one_work+0x179/0x390 [<ffffffff98f0c1e9>] worker_thread+0x239/0x340 [<ffffffff98f14abc>] kthread+0xcc/0x100 [<ffffffff98e45a6d>] ret_from_fork+0x2d/0x50 [<ffffffff98e083ba>] ret_from_fork_asm+0x1a/0x30 ...

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ef2bc94059836a115…
	https://git.kernel.org/stable/c/e6902101f34f098af…
	https://git.kernel.org/stable/c/fcbacc47d16306c87…
	https://git.kernel.org/stable/c/5d30d256661fc11b6…
	https://git.kernel.org/stable/c/3b27e6e10a32589fc…
	https://git.kernel.org/stable/c/78f3d64b30210c0e5…
	https://git.kernel.org/stable/c/23d97f18901ef5e4e…

Impacted products

Vendor

Product

Version

Linux

Affected: 28bf26724fdb0e02267d19e280d6717ee810a10d , < ef2bc94059836a115430a6ad9d2838b0b34dc8f5 (git)
Affected: 28bf26724fdb0e02267d19e280d6717ee810a10d , < e6902101f34f098af59b0d1d8cf90c4124c02c6a (git)
Affected: 28bf26724fdb0e02267d19e280d6717ee810a10d , < fcbacc47d16306c87ad1b820b7a575f6e9eae58b (git)
Affected: 28bf26724fdb0e02267d19e280d6717ee810a10d , < 5d30d256661fc11b6e73fac6c3783a702e1006a3 (git)
Affected: 28bf26724fdb0e02267d19e280d6717ee810a10d , < 3b27e6e10a32589fcd293b8933ab6de9387a460e (git)
Affected: 28bf26724fdb0e02267d19e280d6717ee810a10d , < 78f3d64b30210c0e521c59357431aca14024cb79 (git)
Affected: 28bf26724fdb0e02267d19e280d6717ee810a10d , < 23d97f18901ef5e4e264e3b1777fe65c760186b5 (git)

Linux

Affected: 5.8
Unaffected: 0 , < 5.8 (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21981",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:14:51.241580Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:14:55.624Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:24.017Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_arfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ef2bc94059836a115430a6ad9d2838b0b34dc8f5",
              "status": "affected",
              "version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
              "versionType": "git"
            },
            {
              "lessThan": "e6902101f34f098af59b0d1d8cf90c4124c02c6a",
              "status": "affected",
              "version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
              "versionType": "git"
            },
            {
              "lessThan": "fcbacc47d16306c87ad1b820b7a575f6e9eae58b",
              "status": "affected",
              "version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
              "versionType": "git"
            },
            {
              "lessThan": "5d30d256661fc11b6e73fac6c3783a702e1006a3",
              "status": "affected",
              "version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
              "versionType": "git"
            },
            {
              "lessThan": "3b27e6e10a32589fcd293b8933ab6de9387a460e",
              "status": "affected",
              "version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
              "versionType": "git"
            },
            {
              "lessThan": "78f3d64b30210c0e521c59357431aca14024cb79",
              "status": "affected",
              "version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
              "versionType": "git"
            },
            {
              "lessThan": "23d97f18901ef5e4e264e3b1777fe65c760186b5",
              "status": "affected",
              "version": "28bf26724fdb0e02267d19e280d6717ee810a10d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/intel/ice/ice_arfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.8"
            },
            {
              "lessThan": "5.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nice: fix memory leak in aRFS after reset\n\nFix aRFS (accelerated Receive Flow Steering) structures memory leak by\nadding a checker to verify if aRFS memory is already allocated while\nconfiguring VSI. aRFS objects are allocated in two cases:\n- as part of VSI initialization (at probe), and\n- as part of reset handling\n\nHowever, VSI reconfiguration executed during reset involves memory\nallocation one more time, without prior releasing already allocated\nresources. This led to the memory leak with the following signature:\n\n[root@os-delivery ~]# cat /sys/kernel/debug/kmemleak\nunreferenced object 0xff3c1ca7252e6000 (size 8192):\n  comm \"kworker/0:0\", pid 8, jiffies 4296833052\n  hex dump (first 32 bytes):\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................\n  backtrace (crc 0):\n    [\u003cffffffff991ec485\u003e] __kmalloc_cache_noprof+0x275/0x340\n    [\u003cffffffffc0a6e06a\u003e] ice_init_arfs+0x3a/0xe0 [ice]\n    [\u003cffffffffc09f1027\u003e] ice_vsi_cfg_def+0x607/0x850 [ice]\n    [\u003cffffffffc09f244b\u003e] ice_vsi_setup+0x5b/0x130 [ice]\n    [\u003cffffffffc09c2131\u003e] ice_init+0x1c1/0x460 [ice]\n    [\u003cffffffffc09c64af\u003e] ice_probe+0x2af/0x520 [ice]\n    [\u003cffffffff994fbcd3\u003e] local_pci_probe+0x43/0xa0\n    [\u003cffffffff98f07103\u003e] work_for_cpu_fn+0x13/0x20\n    [\u003cffffffff98f0b6d9\u003e] process_one_work+0x179/0x390\n    [\u003cffffffff98f0c1e9\u003e] worker_thread+0x239/0x340\n    [\u003cffffffff98f14abc\u003e] kthread+0xcc/0x100\n    [\u003cffffffff98e45a6d\u003e] ret_from_fork+0x2d/0x50\n    [\u003cffffffff98e083ba\u003e] ret_from_fork_asm+0x1a/0x30\n    ..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:32.029Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ef2bc94059836a115430a6ad9d2838b0b34dc8f5"
        },
        {
          "url": "https://git.kernel.org/stable/c/e6902101f34f098af59b0d1d8cf90c4124c02c6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcbacc47d16306c87ad1b820b7a575f6e9eae58b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d30d256661fc11b6e73fac6c3783a702e1006a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b27e6e10a32589fcd293b8933ab6de9387a460e"
        },
        {
          "url": "https://git.kernel.org/stable/c/78f3d64b30210c0e521c59357431aca14024cb79"
        },
        {
          "url": "https://git.kernel.org/stable/c/23d97f18901ef5e4e264e3b1777fe65c760186b5"
        }
      ],
      "title": "ice: fix memory leak in aRFS after reset",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21981",
    "datePublished": "2025-04-01T15:47:09.744Z",
    "dateReserved": "2024-12-29T08:45:45.799Z",
    "dateUpdated": "2025-11-03T19:40:24.017Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-53051 (GCVE-0-2024-53051)

Vulnerability from cvelistv5 – Published: 2024-11-19 17:19 – Updated: 2026-01-05 10:55

Title

drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability Sometimes during hotplug scenario or suspend/resume scenario encoder is not always initialized when intel_hdcp_get_capability add a check to avoid kernel null pointer dereference.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4912e8fb3c37fb2de…
	https://git.kernel.org/stable/c/31b42af516afa1e18…

Impacted products

Vendor

Product

Version

Linux

Affected: bdc93fe0eb82f3646dbe34f6cea0cfcf5a1516ff , < 4912e8fb3c37fb2dedf48d9c18bbbecd70e720f8 (git)
Affected: bdc93fe0eb82f3646dbe34f6cea0cfcf5a1516ff , < 31b42af516afa1e184d1a9f9dd4096c54044269a (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 6.11.7 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-53051",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T20:13:12.327593Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T20:17:18.414Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/display/intel_hdcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4912e8fb3c37fb2dedf48d9c18bbbecd70e720f8",
              "status": "affected",
              "version": "bdc93fe0eb82f3646dbe34f6cea0cfcf5a1516ff",
              "versionType": "git"
            },
            {
              "lessThan": "31b42af516afa1e184d1a9f9dd4096c54044269a",
              "status": "affected",
              "version": "bdc93fe0eb82f3646dbe34f6cea0cfcf5a1516ff",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/i915/display/intel_hdcp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.7",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/i915/hdcp: Add encoder check in intel_hdcp_get_capability\n\nSometimes during hotplug scenario or suspend/resume scenario encoder is\nnot always initialized when intel_hdcp_get_capability add\na check to avoid kernel null pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:55:28.713Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4912e8fb3c37fb2dedf48d9c18bbbecd70e720f8"
        },
        {
          "url": "https://git.kernel.org/stable/c/31b42af516afa1e184d1a9f9dd4096c54044269a"
        }
      ],
      "title": "drm/i915/hdcp: Add encoder check in intel_hdcp_get_capability",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53051",
    "datePublished": "2024-11-19T17:19:36.456Z",
    "dateReserved": "2024-11-19T17:17:24.973Z",
    "dateUpdated": "2026-01-05T10:55:28.713Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21934 (GCVE-0-2025-21934)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

rapidio: fix an API misues when rio_add_net() fails

Summary

In the Linux kernel, the following vulnerability has been resolved: rapidio: fix an API misues when rio_add_net() fails rio_add_net() calls device_register() and fails when device_register() fails. Thus, put_device() should be used rather than kfree(). Add "mport->net = NULL;" to avoid a use after free issue.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d4ec862ce80f64db9…
	https://git.kernel.org/stable/c/88ddad53e4cfb6de8…
	https://git.kernel.org/stable/c/cdd9f58f7fe41a55f…
	https://git.kernel.org/stable/c/a5f5e520e8fbc6294…
	https://git.kernel.org/stable/c/2537f01d57f08c527…
	https://git.kernel.org/stable/c/22e4977141dfc6d10…
	https://git.kernel.org/stable/c/f0aa4ee1cbbf77899…
	https://git.kernel.org/stable/c/b2ef51c74b0171fde…

Impacted products

Vendor

Product

Version

Linux

Affected: e8de370188d098bb49483c287b44925957c3c9b6 , < d4ec862ce80f64db923a1d942b5d11cf6fc87d36 (git)
Affected: e8de370188d098bb49483c287b44925957c3c9b6 , < 88ddad53e4cfb6de861c6d4fb7b25427f46baed5 (git)
Affected: e8de370188d098bb49483c287b44925957c3c9b6 , < cdd9f58f7fe41a55fae4305ea51fc234769fd466 (git)
Affected: e8de370188d098bb49483c287b44925957c3c9b6 , < a5f5e520e8fbc6294020ff8afa36f684d92c6e6a (git)
Affected: e8de370188d098bb49483c287b44925957c3c9b6 , < 2537f01d57f08c527e40bbb5862aa6ff43344898 (git)
Affected: e8de370188d098bb49483c287b44925957c3c9b6 , < 22e4977141dfc6d109bf29b495bf2187b4250990 (git)
Affected: e8de370188d098bb49483c287b44925957c3c9b6 , < f0aa4ee1cbbf7789907e5a3f6810de01c146c211 (git)
Affected: e8de370188d098bb49483c287b44925957c3c9b6 , < b2ef51c74b0171fde7eb69b6152d3d2f743ef269 (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21934",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:22:15.227028Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:33.096Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:30.684Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/rapidio/devices/rio_mport_cdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d4ec862ce80f64db923a1d942b5d11cf6fc87d36",
              "status": "affected",
              "version": "e8de370188d098bb49483c287b44925957c3c9b6",
              "versionType": "git"
            },
            {
              "lessThan": "88ddad53e4cfb6de861c6d4fb7b25427f46baed5",
              "status": "affected",
              "version": "e8de370188d098bb49483c287b44925957c3c9b6",
              "versionType": "git"
            },
            {
              "lessThan": "cdd9f58f7fe41a55fae4305ea51fc234769fd466",
              "status": "affected",
              "version": "e8de370188d098bb49483c287b44925957c3c9b6",
              "versionType": "git"
            },
            {
              "lessThan": "a5f5e520e8fbc6294020ff8afa36f684d92c6e6a",
              "status": "affected",
              "version": "e8de370188d098bb49483c287b44925957c3c9b6",
              "versionType": "git"
            },
            {
              "lessThan": "2537f01d57f08c527e40bbb5862aa6ff43344898",
              "status": "affected",
              "version": "e8de370188d098bb49483c287b44925957c3c9b6",
              "versionType": "git"
            },
            {
              "lessThan": "22e4977141dfc6d109bf29b495bf2187b4250990",
              "status": "affected",
              "version": "e8de370188d098bb49483c287b44925957c3c9b6",
              "versionType": "git"
            },
            {
              "lessThan": "f0aa4ee1cbbf7789907e5a3f6810de01c146c211",
              "status": "affected",
              "version": "e8de370188d098bb49483c287b44925957c3c9b6",
              "versionType": "git"
            },
            {
              "lessThan": "b2ef51c74b0171fde7eb69b6152d3d2f743ef269",
              "status": "affected",
              "version": "e8de370188d098bb49483c287b44925957c3c9b6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/rapidio/devices/rio_mport_cdev.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nrapidio: fix an API misues when rio_add_net() fails\n\nrio_add_net() calls device_register() and fails when device_register()\nfails.  Thus, put_device() should be used rather than kfree().  Add\n\"mport-\u003enet = NULL;\" to avoid a use after free issue."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:54.006Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d4ec862ce80f64db923a1d942b5d11cf6fc87d36"
        },
        {
          "url": "https://git.kernel.org/stable/c/88ddad53e4cfb6de861c6d4fb7b25427f46baed5"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdd9f58f7fe41a55fae4305ea51fc234769fd466"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5f5e520e8fbc6294020ff8afa36f684d92c6e6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2537f01d57f08c527e40bbb5862aa6ff43344898"
        },
        {
          "url": "https://git.kernel.org/stable/c/22e4977141dfc6d109bf29b495bf2187b4250990"
        },
        {
          "url": "https://git.kernel.org/stable/c/f0aa4ee1cbbf7789907e5a3f6810de01c146c211"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2ef51c74b0171fde7eb69b6152d3d2f743ef269"
        }
      ],
      "title": "rapidio: fix an API misues when rio_add_net() fails",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21934",
    "datePublished": "2025-04-01T15:41:02.804Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-11-03T19:39:30.684Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37981 (GCVE-0-2025-37981)

Vulnerability from cvelistv5 – Published: 2025-05-20 16:58 – Updated: 2025-05-26 05:25

Title

scsi: smartpqi: Use is_kdump_kernel() to check for kdump

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: smartpqi: Use is_kdump_kernel() to check for kdump The smartpqi driver checks the reset_devices variable to determine whether special adjustments need to be made for kdump. This has the effect that after a regular kexec reboot, some driver parameters such as max_transfer_size are much lower than usual. More importantly, kexec reboot tests have revealed memory corruption caused by the driver log being written to system memory after a kexec. Fix this by testing is_kdump_kernel() rather than reset_devices where appropriate.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7cc670e8ebaa5241d…
	https://git.kernel.org/stable/c/ebf673c76ce91e612…
	https://git.kernel.org/stable/c/a2d5a0072235a6974…

Impacted products

Vendor

Product

Version

Linux

Affected: 058311b72f54890de824b063feb603942269b732 , < 7cc670e8ebaa5241dd99c0ad75eceb8f8f64f607 (git)
Affected: 058311b72f54890de824b063feb603942269b732 , < ebf673c76ce91e612a882dfaa9a3824962994aae (git)
Affected: 058311b72f54890de824b063feb603942269b732 , < a2d5a0072235a69749ceb04c1a26dc75df66a31a (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/smartpqi/smartpqi_init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7cc670e8ebaa5241dd99c0ad75eceb8f8f64f607",
              "status": "affected",
              "version": "058311b72f54890de824b063feb603942269b732",
              "versionType": "git"
            },
            {
              "lessThan": "ebf673c76ce91e612a882dfaa9a3824962994aae",
              "status": "affected",
              "version": "058311b72f54890de824b063feb603942269b732",
              "versionType": "git"
            },
            {
              "lessThan": "a2d5a0072235a69749ceb04c1a26dc75df66a31a",
              "status": "affected",
              "version": "058311b72f54890de824b063feb603942269b732",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/smartpqi/smartpqi_init.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: smartpqi: Use is_kdump_kernel() to check for kdump\n\nThe smartpqi driver checks the reset_devices variable to determine\nwhether special adjustments need to be made for kdump. This has the\neffect that after a regular kexec reboot, some driver parameters such as\nmax_transfer_size are much lower than usual. More importantly, kexec\nreboot tests have revealed memory corruption caused by the driver log\nbeing written to system memory after a kexec.\n\nFix this by testing is_kdump_kernel() rather than reset_devices where\nappropriate."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:25:02.522Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7cc670e8ebaa5241dd99c0ad75eceb8f8f64f607"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebf673c76ce91e612a882dfaa9a3824962994aae"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2d5a0072235a69749ceb04c1a26dc75df66a31a"
        }
      ],
      "title": "scsi: smartpqi: Use is_kdump_kernel() to check for kdump",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37981",
    "datePublished": "2025-05-20T16:58:23.299Z",
    "dateReserved": "2025-04-16T04:51:23.975Z",
    "dateUpdated": "2025-05-26T05:25:02.522Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21699 (GCVE-0-2025-21699)

Vulnerability from cvelistv5 – Published: 2025-02-12 13:52 – Updated: 2026-01-02 15:28

Title

gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag

Summary

In the Linux kernel, the following vulnerability has been resolved: gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag Truncate an inode's address space when flipping the GFS2_DIF_JDATA flag: depending on that flag, the pages in the address space will either use buffer heads or iomap_folio_state structs, and we cannot mix the two.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8c41abc11aa8438c9…
	https://git.kernel.org/stable/c/4e3ded34f3f3c9d7e…
	https://git.kernel.org/stable/c/2a40a140e11fec699…
	https://git.kernel.org/stable/c/4dd57d1f0e9844311…
	https://git.kernel.org/stable/c/4516febe325342555…
	https://git.kernel.org/stable/c/5bb1fd0855bb0abc7…
	https://git.kernel.org/stable/c/7c9d9223802fbed4d…

Impacted products

Vendor

Product

Version

Linux

Affected: 2164f9b9186962ffb7c687e18ec6f5255525f09d , < 8c41abc11aa8438c9ed2d973f97e66674c0355df (git)
Affected: 2164f9b9186962ffb7c687e18ec6f5255525f09d , < 4e3ded34f3f3c9d7ed2aac7be8cf51153646574a (git)
Affected: 2164f9b9186962ffb7c687e18ec6f5255525f09d , < 2a40a140e11fec699e128170ccaa98b6b82cb503 (git)
Affected: 2164f9b9186962ffb7c687e18ec6f5255525f09d , < 4dd57d1f0e9844311c635a7fb39abce4f2ac5a61 (git)
Affected: 2164f9b9186962ffb7c687e18ec6f5255525f09d , < 4516febe325342555bb09ca5b396fb816d655821 (git)
Affected: 2164f9b9186962ffb7c687e18ec6f5255525f09d , < 5bb1fd0855bb0abc7d97e44758d6ffed7882d2d0 (git)
Affected: 2164f9b9186962ffb7c687e18ec6f5255525f09d , < 7c9d9223802fbed4dee1ae301661bf346964c9d2 (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.234 , ≤ 5.10.* (semver)
Unaffected: 5.15.178 , ≤ 5.15.* (semver)
Unaffected: 6.1.128 , ≤ 6.1.* (semver)
Unaffected: 6.6.75 , ≤ 6.6.* (semver)
Unaffected: 6.12.12 , ≤ 6.12.* (semver)
Unaffected: 6.13.1 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21699",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:51:04.949443Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:09.197Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:23.304Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/gfs2/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8c41abc11aa8438c9ed2d973f97e66674c0355df",
              "status": "affected",
              "version": "2164f9b9186962ffb7c687e18ec6f5255525f09d",
              "versionType": "git"
            },
            {
              "lessThan": "4e3ded34f3f3c9d7ed2aac7be8cf51153646574a",
              "status": "affected",
              "version": "2164f9b9186962ffb7c687e18ec6f5255525f09d",
              "versionType": "git"
            },
            {
              "lessThan": "2a40a140e11fec699e128170ccaa98b6b82cb503",
              "status": "affected",
              "version": "2164f9b9186962ffb7c687e18ec6f5255525f09d",
              "versionType": "git"
            },
            {
              "lessThan": "4dd57d1f0e9844311c635a7fb39abce4f2ac5a61",
              "status": "affected",
              "version": "2164f9b9186962ffb7c687e18ec6f5255525f09d",
              "versionType": "git"
            },
            {
              "lessThan": "4516febe325342555bb09ca5b396fb816d655821",
              "status": "affected",
              "version": "2164f9b9186962ffb7c687e18ec6f5255525f09d",
              "versionType": "git"
            },
            {
              "lessThan": "5bb1fd0855bb0abc7d97e44758d6ffed7882d2d0",
              "status": "affected",
              "version": "2164f9b9186962ffb7c687e18ec6f5255525f09d",
              "versionType": "git"
            },
            {
              "lessThan": "7c9d9223802fbed4dee1ae301661bf346964c9d2",
              "status": "affected",
              "version": "2164f9b9186962ffb7c687e18ec6f5255525f09d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/gfs2/file.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.234",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.178",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.128",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.234",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.178",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.128",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngfs2: Truncate address space when flipping GFS2_DIF_JDATA flag\n\nTruncate an inode\u0027s address space when flipping the GFS2_DIF_JDATA flag:\ndepending on that flag, the pages in the address space will either use\nbuffer heads or iomap_folio_state structs, and we cannot mix the two."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:28:27.961Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8c41abc11aa8438c9ed2d973f97e66674c0355df"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e3ded34f3f3c9d7ed2aac7be8cf51153646574a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a40a140e11fec699e128170ccaa98b6b82cb503"
        },
        {
          "url": "https://git.kernel.org/stable/c/4dd57d1f0e9844311c635a7fb39abce4f2ac5a61"
        },
        {
          "url": "https://git.kernel.org/stable/c/4516febe325342555bb09ca5b396fb816d655821"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bb1fd0855bb0abc7d97e44758d6ffed7882d2d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c9d9223802fbed4dee1ae301661bf346964c9d2"
        }
      ],
      "title": "gfs2: Truncate address space when flipping GFS2_DIF_JDATA flag",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21699",
    "datePublished": "2025-02-12T13:52:50.962Z",
    "dateReserved": "2024-12-29T08:45:45.748Z",
    "dateUpdated": "2026-01-02T15:28:27.961Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21866 (GCVE-0-2025-21866)

Vulnerability from cvelistv5 – Published: 2025-03-12 09:42 – Updated: 2025-11-03 19:38

Title

powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC

Summary

In the Linux kernel, the following vulnerability has been resolved: powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC Erhard reported the following KASAN hit while booting his PowerMac G4 with a KASAN-enabled kernel 6.13-rc6: BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8 Write of size 8 at addr f1000000 by task chronyd/1293 CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G W 6.13.0-rc6-PMacG4 #2 Tainted: [W]=WARN Hardware name: PowerMac3,6 7455 0x80010303 PowerMac Call Trace: [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable) [c24375b0] [c0504998] print_report+0xdc/0x504 [c2437610] [c050475c] kasan_report+0xf8/0x108 [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8 [c24376c0] [c004c014] patch_instructions+0x15c/0x16c [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478 [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14 [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4 [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890 [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420 [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c --- interrupt: c00 at 0x5a1274 NIP: 005a1274 LR: 006a3b3c CTR: 005296c8 REGS: c2437f40 TRAP: 0c00 Tainted: G W (6.13.0-rc6-PMacG4) MSR: 0200f932 <VEC,EE,PR,FP,ME,IR,DR,RI> CR: 24004422 XER: 00000000 GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932 GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57 GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002 GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001 NIP [005a1274] 0x5a1274 LR [006a3b3c] 0x6a3b3c --- interrupt: c00 The buggy address belongs to the virtual mapping at [f1000000, f1002000) created by: text_area_cpu_up+0x20/0x190 The buggy address belongs to the physical page: page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30 flags: 0x80000000(zone=2) raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001 raw: 00000000 page dumped because: kasan: bad access detected Memory state around the buggy address: f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >f1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ^ f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 ================================================================== f8 corresponds to KASAN_VMALLOC_INVALID which means the area is not initialised hence not supposed to be used yet. Powerpc text patching infrastructure allocates a virtual memory area using get_vm_area() and flags it as VM_ALLOC. But that flag is meant to be used for vmalloc() and vmalloc() allocated memory is not supposed to be used before a call to __vmalloc_node_range() which is never called for that area. That went undetected until commit e4137f08816b ("mm, kasan, kmsan: instrument copy_from/to_kernel_nofault") The area allocated by text_area_cpu_up() is not vmalloc memory, it is mapped directly on demand when needed by map_kernel_page(). There is no VM flag corresponding to such usage, so just pass no flag. That way the area will be unpoisonned and usable immediately.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-770 - Allocation of Resources Without Limits or Throttling

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/97de5852058a299ba…
	https://git.kernel.org/stable/c/f8d4c5b653c1bc0df…
	https://git.kernel.org/stable/c/6847b3e40bb963e57…
	https://git.kernel.org/stable/c/c905a3053518212a1…
	https://git.kernel.org/stable/c/2d542f13d26344e34…
	https://git.kernel.org/stable/c/8d06e9208184b2851…
	https://git.kernel.org/stable/c/2e6c80423f201405f…
	https://git.kernel.org/stable/c/d262a192d38e527fa…

Impacted products

Vendor

Product

Version

Linux

Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 97de5852058a299ba447cd9782fe96488d30108b (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < f8d4c5b653c1bc0df56e15658bbf64fc359adc4e (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < c905a3053518212a1017e50bd2be3bee59305bb0 (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 2d542f13d26344e3452eee77613026ce9b653065 (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 8d06e9208184b2851fa79a3a39d6860320c8bdf8 (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < 2e6c80423f201405fd65254e52decd21663896f3 (git)
Affected: 37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1 , < d262a192d38e527faa5984629aabda2e0d1c4f54 (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.80 , ≤ 6.6.* (semver)
Unaffected: 6.12.17 , ≤ 6.12.* (semver)
Unaffected: 6.13.5 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21866",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:25:25.349170Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-770",
                "description": "CWE-770 Allocation of Resources Without Limits or Throttling",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:36.847Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:23.377Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/lib/code-patching.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "97de5852058a299ba447cd9782fe96488d30108b",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "f8d4c5b653c1bc0df56e15658bbf64fc359adc4e",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "c905a3053518212a1017e50bd2be3bee59305bb0",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "2d542f13d26344e3452eee77613026ce9b653065",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "8d06e9208184b2851fa79a3a39d6860320c8bdf8",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "2e6c80423f201405fd65254e52decd21663896f3",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            },
            {
              "lessThan": "d262a192d38e527faa5984629aabda2e0d1c4f54",
              "status": "affected",
              "version": "37bc3e5fd764fb258ff4fcbb90b6d1b67fb466c1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/lib/code-patching.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC\n\nErhard reported the following KASAN hit while booting his PowerMac G4\nwith a KASAN-enabled kernel 6.13-rc6:\n\n  BUG: KASAN: vmalloc-out-of-bounds in copy_to_kernel_nofault+0xd8/0x1c8\n  Write of size 8 at addr f1000000 by task chronyd/1293\n\n  CPU: 0 UID: 123 PID: 1293 Comm: chronyd Tainted: G        W          6.13.0-rc6-PMacG4 #2\n  Tainted: [W]=WARN\n  Hardware name: PowerMac3,6 7455 0x80010303 PowerMac\n  Call Trace:\n  [c2437590] [c1631a84] dump_stack_lvl+0x70/0x8c (unreliable)\n  [c24375b0] [c0504998] print_report+0xdc/0x504\n  [c2437610] [c050475c] kasan_report+0xf8/0x108\n  [c2437690] [c0505a3c] kasan_check_range+0x24/0x18c\n  [c24376a0] [c03fb5e4] copy_to_kernel_nofault+0xd8/0x1c8\n  [c24376c0] [c004c014] patch_instructions+0x15c/0x16c\n  [c2437710] [c00731a8] bpf_arch_text_copy+0x60/0x7c\n  [c2437730] [c0281168] bpf_jit_binary_pack_finalize+0x50/0xac\n  [c2437750] [c0073cf4] bpf_int_jit_compile+0xb30/0xdec\n  [c2437880] [c0280394] bpf_prog_select_runtime+0x15c/0x478\n  [c24378d0] [c1263428] bpf_prepare_filter+0xbf8/0xc14\n  [c2437990] [c12677ec] bpf_prog_create_from_user+0x258/0x2b4\n  [c24379d0] [c027111c] do_seccomp+0x3dc/0x1890\n  [c2437ac0] [c001d8e0] system_call_exception+0x2dc/0x420\n  [c2437f30] [c00281ac] ret_from_syscall+0x0/0x2c\n  --- interrupt: c00 at 0x5a1274\n  NIP:  005a1274 LR: 006a3b3c CTR: 005296c8\n  REGS: c2437f40 TRAP: 0c00   Tainted: G        W           (6.13.0-rc6-PMacG4)\n  MSR:  0200f932 \u003cVEC,EE,PR,FP,ME,IR,DR,RI\u003e  CR: 24004422  XER: 00000000\n\n  GPR00: 00000166 af8f3fa0 a7ee3540 00000001 00000000 013b6500 005a5858 0200f932\n  GPR08: 00000000 00001fe9 013d5fc8 005296c8 2822244c 00b2fcd8 00000000 af8f4b57\n  GPR16: 00000000 00000001 00000000 00000000 00000000 00000001 00000000 00000002\n  GPR24: 00afdbb0 00000000 00000000 00000000 006e0004 013ce060 006e7c1c 00000001\n  NIP [005a1274] 0x5a1274\n  LR [006a3b3c] 0x6a3b3c\n  --- interrupt: c00\n\n  The buggy address belongs to the virtual mapping at\n   [f1000000, f1002000) created by:\n   text_area_cpu_up+0x20/0x190\n\n  The buggy address belongs to the physical page:\n  page: refcount:1 mapcount:0 mapping:00000000 index:0x0 pfn:0x76e30\n  flags: 0x80000000(zone=2)\n  raw: 80000000 00000000 00000122 00000000 00000000 00000000 ffffffff 00000001\n  raw: 00000000\n  page dumped because: kasan: bad access detected\n\n  Memory state around the buggy address:\n   f0ffff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n   f0ffff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  \u003ef1000000: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n             ^\n   f1000080: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n   f1000100: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8\n  ==================================================================\n\nf8 corresponds to KASAN_VMALLOC_INVALID which means the area is not\ninitialised hence not supposed to be used yet.\n\nPowerpc text patching infrastructure allocates a virtual memory area\nusing get_vm_area() and flags it as VM_ALLOC. But that flag is meant\nto be used for vmalloc() and vmalloc() allocated memory is not\nsupposed to be used before a call to __vmalloc_node_range() which is\nnever called for that area.\n\nThat went undetected until commit e4137f08816b (\"mm, kasan, kmsan:\ninstrument copy_from/to_kernel_nofault\")\n\nThe area allocated by text_area_cpu_up() is not vmalloc memory, it is\nmapped directly on demand when needed by map_kernel_page(). There is\nno VM flag corresponding to such usage, so just pass no flag. That way\nthe area will be unpoisonned and usable immediately."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:49.560Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/97de5852058a299ba447cd9782fe96488d30108b"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8d4c5b653c1bc0df56e15658bbf64fc359adc4e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6847b3e40bb963e57b61d1cc6fe84cb37b9d3d4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c905a3053518212a1017e50bd2be3bee59305bb0"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d542f13d26344e3452eee77613026ce9b653065"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d06e9208184b2851fa79a3a39d6860320c8bdf8"
        },
        {
          "url": "https://git.kernel.org/stable/c/2e6c80423f201405fd65254e52decd21663896f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/d262a192d38e527faa5984629aabda2e0d1c4f54"
        }
      ],
      "title": "powerpc/code-patching: Fix KASAN hit by not flagging text patching area as VM_ALLOC",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21866",
    "datePublished": "2025-03-12T09:42:22.587Z",
    "dateReserved": "2024-12-29T08:45:45.781Z",
    "dateUpdated": "2025-11-03T19:38:23.377Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39989 (GCVE-0-2025-39989)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2025-05-26 05:25

Title

x86/mce: use is_copy_from_user() to determine copy-from-user context

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/mce: use is_copy_from_user() to determine copy-from-user context Patch series "mm/hwpoison: Fix regressions in memory failure handling", v4. ## 1. What am I trying to do: This patchset resolves two critical regressions related to memory failure handling that have appeared in the upstream kernel since version 5.17, as compared to 5.10 LTS. - copyin case: poison found in user page while kernel copying from user space - instr case: poison found while instruction fetching in user space ## 2. What is the expected outcome and why - For copyin case: Kernel can recover from poison found where kernel is doing get_user() or copy_from_user() if those places get an error return and the kernel return -EFAULT to the process instead of crashing. More specifily, MCE handler checks the fixup handler type to decide whether an in kernel #MC can be recovered. When EX_TYPE_UACCESS is found, the PC jumps to recovery code specified in _ASM_EXTABLE_FAULT() and return a -EFAULT to user space. - For instr case: If a poison found while instruction fetching in user space, full recovery is possible. User process takes #PF, Linux allocates a new page and fills by reading from storage. ## 3. What actually happens and why - For copyin case: kernel panic since v5.17 Commit 4c132d1d844a ("x86/futex: Remove .fixup usage") introduced a new extable fixup type, EX_TYPE_EFAULT_REG, and later patches updated the extable fixup type for copy-from-user operations, changing it from EX_TYPE_UACCESS to EX_TYPE_EFAULT_REG. It breaks previous EX_TYPE_UACCESS handling when posion found in get_user() or copy_from_user(). - For instr case: user process is killed by a SIGBUS signal due to #CMCI and #MCE race When an uncorrected memory error is consumed there is a race between the CMCI from the memory controller reporting an uncorrected error with a UCNA signature, and the core reporting and SRAR signature machine check when the data is about to be consumed. ### Background: why *UN*corrected errors tied to *C*MCI in Intel platform [1] Prior to Icelake memory controllers reported patrol scrub events that detected a previously unseen uncorrected error in memory by signaling a broadcast machine check with an SRAO (Software Recoverable Action Optional) signature in the machine check bank. This was overkill because it's not an urgent problem that no core is on the verge of consuming that bad data. It's also found that multi SRAO UCE may cause nested MCE interrupts and finally become an IERR. Hence, Intel downgrades the machine check bank signature of patrol scrub from SRAO to UCNA (Uncorrected, No Action required), and signal changed to #CMCI. Just to add to the confusion, Linux does take an action (in uc_decode_notifier()) to try to offline the page despite the UC*NA* signature name. ### Background: why #CMCI and #MCE race when poison is consuming in Intel platform [1] Having decided that CMCI/UCNA is the best action for patrol scrub errors, the memory controller uses it for reads too. But the memory controller is executing asynchronously from the core, and can't tell the difference between a "real" read and a speculative read. So it will do CMCI/UCNA if an error is found in any read. Thus: 1) Core is clever and thinks address A is needed soon, issues a speculative read. 2) Core finds it is going to use address A soon after sending the read request 3) The CMCI from the memory controller is in a race with MCE from the core that will soon try to retire the load from address A. Quite often (because speculation has got better) the CMCI from the memory controller is delivered before the core is committed to the instruction reading address A, so the interrupt is taken, and Linux offlines the page (marking it as poison). ## Why user process is killed for instr case Commit 046545a661af ("mm/hwpoison: fix error page recovered but reported "not ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5724654a084f701dc…
	https://git.kernel.org/stable/c/3e3d8169c0950a0b3…
	https://git.kernel.org/stable/c/449413da90a337f34…
	https://git.kernel.org/stable/c/0b8388e97ba6a8c03…
	https://git.kernel.org/stable/c/1a15bb8303b6b104e…

Impacted products

Vendor

Product

Version

Linux

Affected: 4c132d1d844a53fc4e4b5c34e36ef10d6124b783 , < 5724654a084f701dc64b08d34a0e800f22f0e6e4 (git)
Affected: 4c132d1d844a53fc4e4b5c34e36ef10d6124b783 , < 3e3d8169c0950a0b3cd5105f6403a78350dcac80 (git)
Affected: 4c132d1d844a53fc4e4b5c34e36ef10d6124b783 , < 449413da90a337f343cc5a73070cbd68e92e8a54 (git)
Affected: 4c132d1d844a53fc4e4b5c34e36ef10d6124b783 , < 0b8388e97ba6a8c033f9a8b5565af41af07f9345 (git)
Affected: 4c132d1d844a53fc4e4b5c34e36ef10d6124b783 , < 1a15bb8303b6b104e78028b6c68f76a0d4562134 (git)
Affected: 88eded8104d2ca0429703755dd250f8cbecc1447 (git)

Linux

Affected: 5.17
Unaffected: 0 , < 5.17 (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/mce/severity.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5724654a084f701dc64b08d34a0e800f22f0e6e4",
              "status": "affected",
              "version": "4c132d1d844a53fc4e4b5c34e36ef10d6124b783",
              "versionType": "git"
            },
            {
              "lessThan": "3e3d8169c0950a0b3cd5105f6403a78350dcac80",
              "status": "affected",
              "version": "4c132d1d844a53fc4e4b5c34e36ef10d6124b783",
              "versionType": "git"
            },
            {
              "lessThan": "449413da90a337f343cc5a73070cbd68e92e8a54",
              "status": "affected",
              "version": "4c132d1d844a53fc4e4b5c34e36ef10d6124b783",
              "versionType": "git"
            },
            {
              "lessThan": "0b8388e97ba6a8c033f9a8b5565af41af07f9345",
              "status": "affected",
              "version": "4c132d1d844a53fc4e4b5c34e36ef10d6124b783",
              "versionType": "git"
            },
            {
              "lessThan": "1a15bb8303b6b104e78028b6c68f76a0d4562134",
              "status": "affected",
              "version": "4c132d1d844a53fc4e4b5c34e36ef10d6124b783",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "88eded8104d2ca0429703755dd250f8cbecc1447",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/cpu/mce/severity.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.17"
            },
            {
              "lessThan": "5.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.58",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mce: use is_copy_from_user() to determine copy-from-user context\n\nPatch series \"mm/hwpoison: Fix regressions in memory failure handling\",\nv4.\n\n## 1. What am I trying to do:\n\nThis patchset resolves two critical regressions related to memory failure\nhandling that have appeared in the upstream kernel since version 5.17, as\ncompared to 5.10 LTS.\n\n    - copyin case: poison found in user page while kernel copying from user space\n    - instr case: poison found while instruction fetching in user space\n\n## 2. What is the expected outcome and why\n\n- For copyin case:\n\nKernel can recover from poison found where kernel is doing get_user() or\ncopy_from_user() if those places get an error return and the kernel return\n-EFAULT to the process instead of crashing.  More specifily, MCE handler\nchecks the fixup handler type to decide whether an in kernel #MC can be\nrecovered.  When EX_TYPE_UACCESS is found, the PC jumps to recovery code\nspecified in _ASM_EXTABLE_FAULT() and return a -EFAULT to user space.\n\n- For instr case:\n\nIf a poison found while instruction fetching in user space, full recovery\nis possible.  User process takes #PF, Linux allocates a new page and fills\nby reading from storage.\n\n\n## 3. What actually happens and why\n\n- For copyin case: kernel panic since v5.17\n\nCommit 4c132d1d844a (\"x86/futex: Remove .fixup usage\") introduced a new\nextable fixup type, EX_TYPE_EFAULT_REG, and later patches updated the\nextable fixup type for copy-from-user operations, changing it from\nEX_TYPE_UACCESS to EX_TYPE_EFAULT_REG.  It breaks previous EX_TYPE_UACCESS\nhandling when posion found in get_user() or copy_from_user().\n\n- For instr case: user process is killed by a SIGBUS signal due to #CMCI\n  and #MCE race\n\nWhen an uncorrected memory error is consumed there is a race between the\nCMCI from the memory controller reporting an uncorrected error with a UCNA\nsignature, and the core reporting and SRAR signature machine check when\nthe data is about to be consumed.\n\n### Background: why *UN*corrected errors tied to *C*MCI in Intel platform [1]\n\nPrior to Icelake memory controllers reported patrol scrub events that\ndetected a previously unseen uncorrected error in memory by signaling a\nbroadcast machine check with an SRAO (Software Recoverable Action\nOptional) signature in the machine check bank.  This was overkill because\nit\u0027s not an urgent problem that no core is on the verge of consuming that\nbad data.  It\u0027s also found that multi SRAO UCE may cause nested MCE\ninterrupts and finally become an IERR.\n\nHence, Intel downgrades the machine check bank signature of patrol scrub\nfrom SRAO to UCNA (Uncorrected, No Action required), and signal changed to\n#CMCI.  Just to add to the confusion, Linux does take an action (in\nuc_decode_notifier()) to try to offline the page despite the UC*NA*\nsignature name.\n\n### Background: why #CMCI and #MCE race when poison is consuming in\n    Intel platform [1]\n\nHaving decided that CMCI/UCNA is the best action for patrol scrub errors,\nthe memory controller uses it for reads too.  But the memory controller is\nexecuting asynchronously from the core, and can\u0027t tell the difference\nbetween a \"real\" read and a speculative read.  So it will do CMCI/UCNA if\nan error is found in any read.\n\nThus:\n\n1) Core is clever and thinks address A is needed soon, issues a\n   speculative read.\n\n2) Core finds it is going to use address A soon after sending the read\n   request\n\n3) The CMCI from the memory controller is in a race with MCE from the\n   core that will soon try to retire the load from address A.\n\nQuite often (because speculation has got better) the CMCI from the memory\ncontroller is delivered before the core is committed to the instruction\nreading address A, so the interrupt is taken, and Linux offlines the page\n(marking it as poison).\n\n\n## Why user process is killed for instr case\n\nCommit 046545a661af (\"mm/hwpoison: fix error page recovered but reported\n\"not\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:25:34.006Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5724654a084f701dc64b08d34a0e800f22f0e6e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e3d8169c0950a0b3cd5105f6403a78350dcac80"
        },
        {
          "url": "https://git.kernel.org/stable/c/449413da90a337f343cc5a73070cbd68e92e8a54"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b8388e97ba6a8c033f9a8b5565af41af07f9345"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a15bb8303b6b104e78028b6c68f76a0d4562134"
        }
      ],
      "title": "x86/mce: use is_copy_from_user() to determine copy-from-user context",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39989",
    "datePublished": "2025-04-18T07:01:39.321Z",
    "dateReserved": "2025-04-16T07:20:57.150Z",
    "dateUpdated": "2025-05-26T05:25:34.006Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21766 (GCVE-0-2025-21766)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 19:37

Title

ipv4: use RCU protection in __ip_rt_update_pmtu()

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv4: use RCU protection in __ip_rt_update_pmtu() __ip_rt_update_pmtu() must use RCU protection to make sure the net structure it reads does not disappear.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ce3c6165fce0f0630…
	https://git.kernel.org/stable/c/ea07480b232259422…
	https://git.kernel.org/stable/c/9b1766d1ff5fe496a…
	https://git.kernel.org/stable/c/4583748b65dee4d61…
	https://git.kernel.org/stable/c/a39f61d212d822b30…
	https://git.kernel.org/stable/c/139512191bd06f1b4…

Impacted products

Vendor

Product

Version

Linux

Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < ce3c6165fce0f06305c806696882a3ad4b90e33f (git)
Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < ea07480b23225942208f1b754fea1e7ec486d37e (git)
Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < 9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4 (git)
Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < 4583748b65dee4d61bd50a2214715b4237bc152a (git)
Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < a39f61d212d822b3062d7f70fa0588e50e55664e (git)
Affected: 2fbc6e89b2f1403189e624cabaf73e189c5e50c6 , < 139512191bd06f1b496117c76372b2ce372c9a41 (git)
Affected: f415c264176e6095e9dee823e09c5bdd0ee0d337 (git)
Affected: 98776a365da509ad923083ae54b38ee521c52742 (git)
Affected: 860e2cc78c697c95bc749abb20047239fa1722ea (git)
Affected: 2b1be6c925cdf4638811765a9160796291494b89 (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:37:21.502Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ce3c6165fce0f06305c806696882a3ad4b90e33f",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "ea07480b23225942208f1b754fea1e7ec486d37e",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "4583748b65dee4d61bd50a2214715b4237bc152a",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "a39f61d212d822b3062d7f70fa0588e50e55664e",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "lessThan": "139512191bd06f1b496117c76372b2ce372c9a41",
              "status": "affected",
              "version": "2fbc6e89b2f1403189e624cabaf73e189c5e50c6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f415c264176e6095e9dee823e09c5bdd0ee0d337",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "98776a365da509ad923083ae54b38ee521c52742",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "860e2cc78c697c95bc749abb20047239fa1722ea",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2b1be6c925cdf4638811765a9160796291494b89",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/route.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.200",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.148",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.68",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.8.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv4: use RCU protection in __ip_rt_update_pmtu()\n\n__ip_rt_update_pmtu() must use RCU protection to make\nsure the net structure it reads does not disappear."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:29.555Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ce3c6165fce0f06305c806696882a3ad4b90e33f"
        },
        {
          "url": "https://git.kernel.org/stable/c/ea07480b23225942208f1b754fea1e7ec486d37e"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b1766d1ff5fe496aabe9fc5f4e34e53f35c11c4"
        },
        {
          "url": "https://git.kernel.org/stable/c/4583748b65dee4d61bd50a2214715b4237bc152a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a39f61d212d822b3062d7f70fa0588e50e55664e"
        },
        {
          "url": "https://git.kernel.org/stable/c/139512191bd06f1b496117c76372b2ce372c9a41"
        }
      ],
      "title": "ipv4: use RCU protection in __ip_rt_update_pmtu()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21766",
    "datePublished": "2025-02-27T02:18:16.570Z",
    "dateReserved": "2024-12-29T08:45:45.762Z",
    "dateUpdated": "2025-11-03T19:37:21.502Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37783 (GCVE-0-2025-37783)

Vulnerability from cvelistv5 – Published: 2025-05-01 13:07 – Updated: 2025-05-26 05:20

Title

drm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check The function dpu_plane_virtual_atomic_check was dereferencing pointers returned by drm_atomic_get_plane_state without checking for errors. This could lead to undefined behavior if the function returns an error pointer. This commit adds checks using IS_ERR to ensure that plane_state is valid before dereferencing them. Similar to commit da29abe71e16 ("drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed"). Patchwork: https://patchwork.freedesktop.org/patch/643132/

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a9670ed1cce321677…
	https://git.kernel.org/stable/c/5cb1b130e1cd04239…

Impacted products

Vendor

Product

Version

Linux

Affected: 774bcfb731765d092992136b54c34958d7c64bea , < a9670ed1cce3216778c89936d3ae91cf0d436035 (git)
Affected: 774bcfb731765d092992136b54c34958d7c64bea , < 5cb1b130e1cd04239cc9c26a98279f4660dce583 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a9670ed1cce3216778c89936d3ae91cf0d436035",
              "status": "affected",
              "version": "774bcfb731765d092992136b54c34958d7c64bea",
              "versionType": "git"
            },
            {
              "lessThan": "5cb1b130e1cd04239cc9c26a98279f4660dce583",
              "status": "affected",
              "version": "774bcfb731765d092992136b54c34958d7c64bea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/msm/disp/dpu1/dpu_plane.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check\n\nThe function dpu_plane_virtual_atomic_check was dereferencing pointers\nreturned by drm_atomic_get_plane_state without checking for errors. This\ncould lead to undefined behavior if the function returns an error pointer.\n\nThis commit adds checks using IS_ERR to ensure that plane_state is\nvalid before dereferencing them.\n\nSimilar to commit da29abe71e16\n(\"drm/amd/display: Fix error pointers in amdgpu_dm_crtc_mem_type_changed\").\n\nPatchwork: https://patchwork.freedesktop.org/patch/643132/"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:47.740Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a9670ed1cce3216778c89936d3ae91cf0d436035"
        },
        {
          "url": "https://git.kernel.org/stable/c/5cb1b130e1cd04239cc9c26a98279f4660dce583"
        }
      ],
      "title": "drm/msm/dpu: Fix error pointers in dpu_plane_virtual_atomic_check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37783",
    "datePublished": "2025-05-01T13:07:19.598Z",
    "dateReserved": "2025-04-16T04:51:23.940Z",
    "dateUpdated": "2025-05-26T05:20:47.740Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21956 (GCVE-0-2025-21956)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2025-11-03 19:39

Title

drm/amd/display: Assign normalized_pix_clk when color depth = 14

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: Assign normalized_pix_clk when color depth = 14 [WHY & HOW] A warning message "WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397 calculate_phy_pix_clks+0xef/0x100 [amdgpu]" occurs because the display_color_depth == COLOR_DEPTH_141414 is not handled. This is observed in Radeon RX 6600 XT. It is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests. Also fixes the indentation in get_norm_pix_clk. (cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cca3ab74f90176099…
	https://git.kernel.org/stable/c/0174a2e5770efee9d…
	https://git.kernel.org/stable/c/0c0016712e5dc23ce…
	https://git.kernel.org/stable/c/dc831b38680c47d07…
	https://git.kernel.org/stable/c/a8f77e1658d78e4a8…
	https://git.kernel.org/stable/c/04f90b505ad3a6eed…
	https://git.kernel.org/stable/c/27df30106690969f7…
	https://git.kernel.org/stable/c/79e31396fdd7037c5…

Impacted products

Vendor

Product

Version

Linux

Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < cca3ab74f90176099b6392e8e894b52b27b3d080 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 0174a2e5770efee9dbd4b58963ed4d939298ff5e (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 0c0016712e5dc23ce4a7e673cbebc24a535d8c8a (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < dc831b38680c47d07e425871a9852109183895cf (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < a8f77e1658d78e4a8bb227a83bcee67de97f7634 (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 04f90b505ad3a6eed474bbaa03167095fef5203a (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 27df30106690969f7d63604f0d49ed8e9bffa2cb (git)
Affected: 4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c , < 79e31396fdd7037c503e6add15af7cb00633ea92 (git)

Linux

Affected: 4.15
Unaffected: 0 , < 4.15 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:55.636Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc_resource.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cca3ab74f90176099b6392e8e894b52b27b3d080",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "0174a2e5770efee9dbd4b58963ed4d939298ff5e",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "0c0016712e5dc23ce4a7e673cbebc24a535d8c8a",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "dc831b38680c47d07e425871a9852109183895cf",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "a8f77e1658d78e4a8bb227a83bcee67de97f7634",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "04f90b505ad3a6eed474bbaa03167095fef5203a",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "27df30106690969f7d63604f0d49ed8e9bffa2cb",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            },
            {
              "lessThan": "79e31396fdd7037c503e6add15af7cb00633ea92",
              "status": "affected",
              "version": "4562236b3bc0a28aeb6ee93b2d8a849a4c4e1c7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/core/dc_resource.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.15"
            },
            {
              "lessThan": "4.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Assign normalized_pix_clk when color depth = 14\n\n[WHY \u0026 HOW]\nA warning message \"WARNING: CPU: 4 PID: 459 at ... /dc_resource.c:3397\ncalculate_phy_pix_clks+0xef/0x100 [amdgpu]\" occurs because the\ndisplay_color_depth == COLOR_DEPTH_141414 is not handled. This is\nobserved in Radeon RX 6600 XT.\n\nIt is fixed by assigning pix_clk * (14 * 3) / 24 - same as the rests.\n\nAlso fixes the indentation in get_norm_pix_clk.\n\n(cherry picked from commit 274a87eb389f58eddcbc5659ab0b180b37e92775)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-11T17:21:38.773Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cca3ab74f90176099b6392e8e894b52b27b3d080"
        },
        {
          "url": "https://git.kernel.org/stable/c/0174a2e5770efee9dbd4b58963ed4d939298ff5e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c0016712e5dc23ce4a7e673cbebc24a535d8c8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc831b38680c47d07e425871a9852109183895cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8f77e1658d78e4a8bb227a83bcee67de97f7634"
        },
        {
          "url": "https://git.kernel.org/stable/c/04f90b505ad3a6eed474bbaa03167095fef5203a"
        },
        {
          "url": "https://git.kernel.org/stable/c/27df30106690969f7d63604f0d49ed8e9bffa2cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/79e31396fdd7037c503e6add15af7cb00633ea92"
        }
      ],
      "title": "drm/amd/display: Assign normalized_pix_clk when color depth = 14",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21956",
    "datePublished": "2025-04-01T15:46:56.219Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-11-03T19:39:55.636Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-39728 (GCVE-0-2025-39728)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2025-11-03 19:58

Title

clk: samsung: Fix UBSAN panic in samsung_clk_init()

Summary

In the Linux kernel, the following vulnerability has been resolved: clk: samsung: Fix UBSAN panic in samsung_clk_init() With UBSAN_ARRAY_BOUNDS=y, I'm hitting the below panic due to dereferencing `ctx->clk_data.hws` before setting `ctx->clk_data.num = nr_clks`. Move that up to fix the crash. UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP <snip> Call trace: samsung_clk_init+0x110/0x124 (P) samsung_clk_init+0x48/0x124 (L) samsung_cmu_register_one+0x3c/0xa0 exynos_arm64_register_cmu+0x54/0x64 __gs101_cmu_top_of_clk_init_declare+0x28/0x60 ...

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-129 - Improper Validation of Array Index

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/00307934eb94aaa0a…
	https://git.kernel.org/stable/c/d974e177369c03498…
	https://git.kernel.org/stable/c/0fef48f4a70e45a93…
	https://git.kernel.org/stable/c/4d29a6dcb51e34659…
	https://git.kernel.org/stable/c/24307866e0ac0a5dd…
	https://git.kernel.org/stable/c/a1500b98cd81a32fd…
	https://git.kernel.org/stable/c/157de9e48007a20c6…
	https://git.kernel.org/stable/c/d19d7345a7bcdb083…

Impacted products

Vendor

Product

Version

Linux

Affected: e620a1e061c4738e26c3edf2abaae7842532cd80 , < 00307934eb94aaa0a99addfb37b9fe206f945004 (git)
Affected: e620a1e061c4738e26c3edf2abaae7842532cd80 , < d974e177369c034984cece9d7d4fada9f8b9c740 (git)
Affected: e620a1e061c4738e26c3edf2abaae7842532cd80 , < 0fef48f4a70e45a93e73c39023c3a6ea624714d6 (git)
Affected: e620a1e061c4738e26c3edf2abaae7842532cd80 , < 4d29a6dcb51e346595a15b49693eeb728925ca43 (git)
Affected: e620a1e061c4738e26c3edf2abaae7842532cd80 , < 24307866e0ac0a5ddb462e766ceda5e27a6fbbe3 (git)
Affected: e620a1e061c4738e26c3edf2abaae7842532cd80 , < a1500b98cd81a32fdfb9bc63c33bb9f0c2a0a1bf (git)
Affected: e620a1e061c4738e26c3edf2abaae7842532cd80 , < 157de9e48007a20c65d02fc0229a16f38134a72d (git)
Affected: e620a1e061c4738e26c3edf2abaae7842532cd80 , < d19d7345a7bcdb083b65568a11b11adffe0687af (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-39728",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T16:13:45.605080Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-129",
                "description": "CWE-129 Improper Validation of Array Index",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T16:13:48.667Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:58:43.347Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/samsung/clk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "00307934eb94aaa0a99addfb37b9fe206f945004",
              "status": "affected",
              "version": "e620a1e061c4738e26c3edf2abaae7842532cd80",
              "versionType": "git"
            },
            {
              "lessThan": "d974e177369c034984cece9d7d4fada9f8b9c740",
              "status": "affected",
              "version": "e620a1e061c4738e26c3edf2abaae7842532cd80",
              "versionType": "git"
            },
            {
              "lessThan": "0fef48f4a70e45a93e73c39023c3a6ea624714d6",
              "status": "affected",
              "version": "e620a1e061c4738e26c3edf2abaae7842532cd80",
              "versionType": "git"
            },
            {
              "lessThan": "4d29a6dcb51e346595a15b49693eeb728925ca43",
              "status": "affected",
              "version": "e620a1e061c4738e26c3edf2abaae7842532cd80",
              "versionType": "git"
            },
            {
              "lessThan": "24307866e0ac0a5ddb462e766ceda5e27a6fbbe3",
              "status": "affected",
              "version": "e620a1e061c4738e26c3edf2abaae7842532cd80",
              "versionType": "git"
            },
            {
              "lessThan": "a1500b98cd81a32fdfb9bc63c33bb9f0c2a0a1bf",
              "status": "affected",
              "version": "e620a1e061c4738e26c3edf2abaae7842532cd80",
              "versionType": "git"
            },
            {
              "lessThan": "157de9e48007a20c65d02fc0229a16f38134a72d",
              "status": "affected",
              "version": "e620a1e061c4738e26c3edf2abaae7842532cd80",
              "versionType": "git"
            },
            {
              "lessThan": "d19d7345a7bcdb083b65568a11b11adffe0687af",
              "status": "affected",
              "version": "e620a1e061c4738e26c3edf2abaae7842532cd80",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/clk/samsung/clk.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nclk: samsung: Fix UBSAN panic in samsung_clk_init()\n\nWith UBSAN_ARRAY_BOUNDS=y, I\u0027m hitting the below panic due to\ndereferencing `ctx-\u003eclk_data.hws` before setting\n`ctx-\u003eclk_data.num = nr_clks`. Move that up to fix the crash.\n\n  UBSAN: array index out of bounds: 00000000f2005512 [#1] PREEMPT SMP\n  \u003csnip\u003e\n  Call trace:\n   samsung_clk_init+0x110/0x124 (P)\n   samsung_clk_init+0x48/0x124 (L)\n   samsung_cmu_register_one+0x3c/0xa0\n   exynos_arm64_register_cmu+0x54/0x64\n   __gs101_cmu_top_of_clk_init_declare+0x28/0x60\n   ..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:25:27.497Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/00307934eb94aaa0a99addfb37b9fe206f945004"
        },
        {
          "url": "https://git.kernel.org/stable/c/d974e177369c034984cece9d7d4fada9f8b9c740"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fef48f4a70e45a93e73c39023c3a6ea624714d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d29a6dcb51e346595a15b49693eeb728925ca43"
        },
        {
          "url": "https://git.kernel.org/stable/c/24307866e0ac0a5ddb462e766ceda5e27a6fbbe3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a1500b98cd81a32fdfb9bc63c33bb9f0c2a0a1bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/157de9e48007a20c65d02fc0229a16f38134a72d"
        },
        {
          "url": "https://git.kernel.org/stable/c/d19d7345a7bcdb083b65568a11b11adffe0687af"
        }
      ],
      "title": "clk: samsung: Fix UBSAN panic in samsung_clk_init()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-39728",
    "datePublished": "2025-04-18T07:01:35.818Z",
    "dateReserved": "2025-04-16T07:20:57.118Z",
    "dateUpdated": "2025-11-03T19:58:43.347Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38104 (GCVE-0-2025-38104)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2026-02-06 16:31

Title

drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV RLCG Register Access is a way for virtual functions to safely access GPU registers in a virtualized environment., including TLB flushes and register reads. When multiple threads or VFs try to access the same registers simultaneously, it can lead to race conditions. By using the RLCG interface, the driver can serialize access to the registers. This means that only one thread can access the registers at a time, preventing conflicts and ensuring that operations are performed correctly. Additionally, when a low-priority task holds a mutex that a high-priority task needs, ie., If a thread holding a spinlock tries to acquire a mutex, it can lead to priority inversion. register access in amdgpu_virt_rlcg_reg_rw especially in a fast code path is critical. The call stack shows that the function amdgpu_virt_rlcg_reg_rw is being called, which attempts to acquire the mutex. This function is invoked from amdgpu_sriov_wreg, which in turn is called from gmc_v11_0_flush_gpu_tlb. The [ BUG: Invalid wait context ] indicates that a thread is trying to acquire a mutex while it is in a context that does not allow it to sleep (like holding a spinlock). Fixes the below: [ 253.013423] ============================= [ 253.013434] [ BUG: Invalid wait context ] [ 253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G U OE [ 253.013464] ----------------------------- [ 253.013475] kworker/0:1/10 is trying to lock: [ 253.013487] ffff9f30542e3cf8 (&adev->virt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.013815] other info that might help us debug this: [ 253.013827] context-{4:4} [ 253.013835] 3 locks held by kworker/0:1/10: [ 253.013847] #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680 [ 253.013877] #1: ffffb789c008be40 ((work_completion)(&wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680 [ 253.013905] #2: ffff9f3054281838 (&adev->gmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu] [ 253.014154] stack backtrace: [ 253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G U OE 6.12.0-amdstaging-drm-next-lol-050225 #14 [ 253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE [ 253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024 [ 253.014224] Workqueue: events work_for_cpu_fn [ 253.014241] Call Trace: [ 253.014250] <TASK> [ 253.014260] dump_stack_lvl+0x9b/0xf0 [ 253.014275] dump_stack+0x10/0x20 [ 253.014287] __lock_acquire+0xa47/0x2810 [ 253.014303] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.014321] lock_acquire+0xd1/0x300 [ 253.014333] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.014562] ? __lock_acquire+0xa6b/0x2810 [ 253.014578] __mutex_lock+0x85/0xe20 [ 253.014591] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.014782] ? sched_clock_noinstr+0x9/0x10 [ 253.014795] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.014808] ? local_clock_noinstr+0xe/0xc0 [ 253.014822] ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.015012] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.015029] mutex_lock_nested+0x1b/0x30 [ 253.015044] ? mutex_lock_nested+0x1b/0x30 [ 253.015057] amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu] [ 253.015249] amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu] [ 253.015435] gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu] [ 253.015667] gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu] [ 253.015901] ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu] [ 253.016159] ? srso_alias_return_thunk+0x5/0xfbef5 [ 253.016173] ? smu_hw_init+0x18d/0x300 [amdgpu] [ 253.016403] amdgpu_device_init+0x29ad/0x36a0 [amdgpu] [ 253.016614] amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu] [ 253.0170 ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/dd450b513718dfeb4…
	https://git.kernel.org/stable/c/d1bda2ab0cf956a16…
	https://git.kernel.org/stable/c/07ed75bfa7ede8bfc…
	https://git.kernel.org/stable/c/1c0378830e42c98ac…
	https://git.kernel.org/stable/c/5c1741a0c176ae116…
	https://git.kernel.org/stable/c/dc0297f3198bd6010…

Impacted products

Vendor

Product

Version

Linux

Affected: f39a3bc42815a7016a915f6cb35e9a1448788f06 , < dd450b513718dfeb4c637c9335d51a55ebcd4320 (git)
Affected: 1adb5ebe205e96af77a93512e2d5b8c437548787 , < d1bda2ab0cf956a16dd369a473a6c43dfbed5855 (git)
Affected: e864180ee49b4d30e640fd1e1d852b86411420c9 , < 07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7 (git)
Affected: e864180ee49b4d30e640fd1e1d852b86411420c9 , < 1c0378830e42c98acd69e0289882c8637d92f285 (git)
Affected: e864180ee49b4d30e640fd1e1d852b86411420c9 , < 5c1741a0c176ae11675a64cb7f2dd21d72db6b91 (git)
Affected: e864180ee49b4d30e640fd1e1d852b86411420c9 , < dc0297f3198bd60108ccbd167ee5d9fa4af31ed0 (git)
Affected: e1ab38e99d1607f80a1670a399511a56464c0253 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.1.162 , ≤ 6.1.* (semver)
Unaffected: 6.6.123 , ≤ 6.6.* (semver)
Unaffected: 6.12.39 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_device.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "dd450b513718dfeb4c637c9335d51a55ebcd4320",
              "status": "affected",
              "version": "f39a3bc42815a7016a915f6cb35e9a1448788f06",
              "versionType": "git"
            },
            {
              "lessThan": "d1bda2ab0cf956a16dd369a473a6c43dfbed5855",
              "status": "affected",
              "version": "1adb5ebe205e96af77a93512e2d5b8c437548787",
              "versionType": "git"
            },
            {
              "lessThan": "07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "1c0378830e42c98acd69e0289882c8637d92f285",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "5c1741a0c176ae11675a64cb7f2dd21d72db6b91",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "lessThan": "dc0297f3198bd60108ccbd167ee5d9fa4af31ed0",
              "status": "affected",
              "version": "e864180ee49b4d30e640fd1e1d852b86411420c9",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e1ab38e99d1607f80a1670a399511a56464c0253",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/amdgpu/amdgpu_device.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.c",
            "drivers/gpu/drm/amd/amdgpu/amdgpu_virt.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.162",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.123",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.162",
                  "versionStartIncluding": "6.1.105",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.123",
                  "versionStartIncluding": "6.6.46",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.39",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV\n\nRLCG Register Access is a way for virtual functions to safely access GPU\nregisters in a virtualized environment., including TLB flushes and\nregister reads. When multiple threads or VFs try to access the same\nregisters simultaneously, it can lead to race conditions. By using the\nRLCG interface, the driver can serialize access to the registers. This\nmeans that only one thread can access the registers at a time,\npreventing conflicts and ensuring that operations are performed\ncorrectly. Additionally, when a low-priority task holds a mutex that a\nhigh-priority task needs, ie., If a thread holding a spinlock tries to\nacquire a mutex, it can lead to priority inversion. register access in\namdgpu_virt_rlcg_reg_rw especially in a fast code path is critical.\n\nThe call stack shows that the function amdgpu_virt_rlcg_reg_rw is being\ncalled, which attempts to acquire the mutex. This function is invoked\nfrom amdgpu_sriov_wreg, which in turn is called from\ngmc_v11_0_flush_gpu_tlb.\n\nThe [ BUG: Invalid wait context ] indicates that a thread is trying to\nacquire a mutex while it is in a context that does not allow it to sleep\n(like holding a spinlock).\n\nFixes the below:\n\n[  253.013423] =============================\n[  253.013434] [ BUG: Invalid wait context ]\n[  253.013446] 6.12.0-amdstaging-drm-next-lol-050225 #14 Tainted: G     U     OE\n[  253.013464] -----------------------------\n[  253.013475] kworker/0:1/10 is trying to lock:\n[  253.013487] ffff9f30542e3cf8 (\u0026adev-\u003evirt.rlcg_reg_lock){+.+.}-{3:3}, at: amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.013815] other info that might help us debug this:\n[  253.013827] context-{4:4}\n[  253.013835] 3 locks held by kworker/0:1/10:\n[  253.013847]  #0: ffff9f3040050f58 ((wq_completion)events){+.+.}-{0:0}, at: process_one_work+0x3f5/0x680\n[  253.013877]  #1: ffffb789c008be40 ((work_completion)(\u0026wfc.work)){+.+.}-{0:0}, at: process_one_work+0x1d6/0x680\n[  253.013905]  #2: ffff9f3054281838 (\u0026adev-\u003egmc.invalidate_lock){+.+.}-{2:2}, at: gmc_v11_0_flush_gpu_tlb+0x198/0x4f0 [amdgpu]\n[  253.014154] stack backtrace:\n[  253.014164] CPU: 0 UID: 0 PID: 10 Comm: kworker/0:1 Tainted: G     U     OE      6.12.0-amdstaging-drm-next-lol-050225 #14\n[  253.014189] Tainted: [U]=USER, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE\n[  253.014203] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.1 11/18/2024\n[  253.014224] Workqueue: events work_for_cpu_fn\n[  253.014241] Call Trace:\n[  253.014250]  \u003cTASK\u003e\n[  253.014260]  dump_stack_lvl+0x9b/0xf0\n[  253.014275]  dump_stack+0x10/0x20\n[  253.014287]  __lock_acquire+0xa47/0x2810\n[  253.014303]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.014321]  lock_acquire+0xd1/0x300\n[  253.014333]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.014562]  ? __lock_acquire+0xa6b/0x2810\n[  253.014578]  __mutex_lock+0x85/0xe20\n[  253.014591]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.014782]  ? sched_clock_noinstr+0x9/0x10\n[  253.014795]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.014808]  ? local_clock_noinstr+0xe/0xc0\n[  253.014822]  ? amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.015012]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.015029]  mutex_lock_nested+0x1b/0x30\n[  253.015044]  ? mutex_lock_nested+0x1b/0x30\n[  253.015057]  amdgpu_virt_rlcg_reg_rw+0xf6/0x330 [amdgpu]\n[  253.015249]  amdgpu_sriov_wreg+0xc5/0xd0 [amdgpu]\n[  253.015435]  gmc_v11_0_flush_gpu_tlb+0x44b/0x4f0 [amdgpu]\n[  253.015667]  gfx_v11_0_hw_init+0x499/0x29c0 [amdgpu]\n[  253.015901]  ? __pfx_smu_v13_0_update_pcie_parameters+0x10/0x10 [amdgpu]\n[  253.016159]  ? srso_alias_return_thunk+0x5/0xfbef5\n[  253.016173]  ? smu_hw_init+0x18d/0x300 [amdgpu]\n[  253.016403]  amdgpu_device_init+0x29ad/0x36a0 [amdgpu]\n[  253.016614]  amdgpu_driver_load_kms+0x1a/0xc0 [amdgpu]\n[  253.0170\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T16:31:14.109Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/dd450b513718dfeb4c637c9335d51a55ebcd4320"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1bda2ab0cf956a16dd369a473a6c43dfbed5855"
        },
        {
          "url": "https://git.kernel.org/stable/c/07ed75bfa7ede8bfcfa303fd6efc85db1c8684c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c0378830e42c98acd69e0289882c8637d92f285"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c1741a0c176ae11675a64cb7f2dd21d72db6b91"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc0297f3198bd60108ccbd167ee5d9fa4af31ed0"
        }
      ],
      "title": "drm/amdgpu: Replace Mutex with Spinlock for RLCG register access to avoid Priority Inversion in SRIOV",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38104",
    "datePublished": "2025-04-18T07:01:31.091Z",
    "dateReserved": "2025-04-16T04:51:23.985Z",
    "dateUpdated": "2026-02-06T16:31:14.109Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22085 (GCVE-0-2025-22085)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-05-26 05:18

Title

RDMA/core: Fix use-after-free when rename device name

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Fix use-after-free when rename device name Syzbot reported a slab-use-after-free with the following call trace: ================================================================== BUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099 Read of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025 CPU: 0 UID: 0 PID: 10025 Comm: syz.0.988 Not tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0 Hardware name: Google Compute Engine, BIOS Google 02/12/2025 Call Trace: <TASK> __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x16e/0x5b0 mm/kasan/report.c:521 kasan_report+0x143/0x180 mm/kasan/report.c:634 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 nla_put+0xd3/0x150 lib/nlattr.c:1099 nla_put_string include/net/netlink.h:1621 [inline] fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265 rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857 ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344 ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883 sock_sendmsg_nosec net/socket.c:709 [inline] __sock_sendmsg+0x221/0x270 net/socket.c:724 ____sys_sendmsg+0x53a/0x860 net/socket.c:2564 ___sys_sendmsg net/socket.c:2618 [inline] __sys_sendmsg+0x269/0x350 net/socket.c:2650 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f42d1b8d169 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ... RSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169 RDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c RBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8 </TASK> Allocated by task 10025: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313 __kmemdup_nul mm/util.c:61 [inline] kstrdup+0x42/0x100 mm/util.c:81 kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274 dev_set_name+0xd5/0x120 drivers/base/core.c:3468 assign_name drivers/infiniband/core/device.c:1202 [inline] ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384 rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540 rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550 rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212 nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795 rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline] rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259 netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline] netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339 netlink_sendmsg+0x8de/0xcb0 net ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0d6460b9d2a3ee380…
	https://git.kernel.org/stable/c/56ec8580be5174b2b…
	https://git.kernel.org/stable/c/edf6b543e81ba68c6…
	https://git.kernel.org/stable/c/1d6a9e7449e2a0c1e…

Impacted products

Vendor

Product

Version

Linux

Affected: 9cbed5aab5aeea420d0aa945733bf608449d44fb , < 0d6460b9d2a3ee380940bdf47680751ef91cb88e (git)
Affected: 9cbed5aab5aeea420d0aa945733bf608449d44fb , < 56ec8580be5174b2b9774066e60f1aad56d201db (git)
Affected: 9cbed5aab5aeea420d0aa945733bf608449d44fb , < edf6b543e81ba68c6dbac2499ab362098a5a9716 (git)
Affected: 9cbed5aab5aeea420d0aa945733bf608449d44fb , < 1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd (git)

Linux

Affected: 6.12
Unaffected: 0 , < 6.12 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22085",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T14:57:43.878838Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T15:01:46.413Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0d6460b9d2a3ee380940bdf47680751ef91cb88e",
              "status": "affected",
              "version": "9cbed5aab5aeea420d0aa945733bf608449d44fb",
              "versionType": "git"
            },
            {
              "lessThan": "56ec8580be5174b2b9774066e60f1aad56d201db",
              "status": "affected",
              "version": "9cbed5aab5aeea420d0aa945733bf608449d44fb",
              "versionType": "git"
            },
            {
              "lessThan": "edf6b543e81ba68c6dbac2499ab362098a5a9716",
              "status": "affected",
              "version": "9cbed5aab5aeea420d0aa945733bf608449d44fb",
              "versionType": "git"
            },
            {
              "lessThan": "1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd",
              "status": "affected",
              "version": "9cbed5aab5aeea420d0aa945733bf608449d44fb",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/device.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.12"
            },
            {
              "lessThan": "6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Fix use-after-free when rename device name\n\nSyzbot reported a slab-use-after-free with the following call trace:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in nla_put+0xd3/0x150 lib/nlattr.c:1099\nRead of size 5 at addr ffff888140ea1c60 by task syz.0.988/10025\n\nCPU: 0 UID: 0 PID: 10025 Comm: syz.0.988\nNot tainted 6.14.0-rc4-syzkaller-00859-gf77f12010f67 #0\nHardware name: Google Compute Engine, BIOS Google 02/12/2025\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0x16e/0x5b0 mm/kasan/report.c:521\n kasan_report+0x143/0x180 mm/kasan/report.c:634\n kasan_check_range+0x282/0x290 mm/kasan/generic.c:189\n __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105\n nla_put+0xd3/0x150 lib/nlattr.c:1099\n nla_put_string include/net/netlink.h:1621 [inline]\n fill_nldev_handle+0x16e/0x200 drivers/infiniband/core/nldev.c:265\n rdma_nl_notify_event+0x561/0xef0 drivers/infiniband/core/nldev.c:2857\n ib_device_notify_register+0x22/0x230 drivers/infiniband/core/device.c:1344\n ib_register_device+0x1292/0x1460 drivers/infiniband/core/device.c:1460\n rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540\n rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212\n nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8de/0xcb0 net/netlink/af_netlink.c:1883\n sock_sendmsg_nosec net/socket.c:709 [inline]\n __sock_sendmsg+0x221/0x270 net/socket.c:724\n ____sys_sendmsg+0x53a/0x860 net/socket.c:2564\n ___sys_sendmsg net/socket.c:2618 [inline]\n __sys_sendmsg+0x269/0x350 net/socket.c:2650\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f42d1b8d169\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 ...\nRSP: 002b:00007f42d2960038 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f42d1da6320 RCX: 00007f42d1b8d169\nRDX: 0000000000000000 RSI: 00004000000002c0 RDI: 000000000000000c\nRBP: 00007f42d1c0e2a0 R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 0000000000000000 R14: 00007f42d1da6320 R15: 00007ffe399344a8\n \u003c/TASK\u003e\n\nAllocated by task 10025:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x3f/0x80 mm/kasan/common.c:68\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0x98/0xb0 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4294 [inline]\n __kmalloc_node_track_caller_noprof+0x28b/0x4c0 mm/slub.c:4313\n __kmemdup_nul mm/util.c:61 [inline]\n kstrdup+0x42/0x100 mm/util.c:81\n kobject_set_name_vargs+0x61/0x120 lib/kobject.c:274\n dev_set_name+0xd5/0x120 drivers/base/core.c:3468\n assign_name drivers/infiniband/core/device.c:1202 [inline]\n ib_register_device+0x178/0x1460 drivers/infiniband/core/device.c:1384\n rxe_register_device+0x233/0x350 drivers/infiniband/sw/rxe/rxe_verbs.c:1540\n rxe_net_add+0x74/0xf0 drivers/infiniband/sw/rxe/rxe_net.c:550\n rxe_newlink+0xde/0x1a0 drivers/infiniband/sw/rxe/rxe.c:212\n nldev_newlink+0x5ea/0x680 drivers/infiniband/core/nldev.c:1795\n rdma_nl_rcv_skb drivers/infiniband/core/netlink.c:239 [inline]\n rdma_nl_rcv+0x6dd/0x9e0 drivers/infiniband/core/netlink.c:259\n netlink_unicast_kernel net/netlink/af_netlink.c:1313 [inline]\n netlink_unicast+0x7f6/0x990 net/netlink/af_netlink.c:1339\n netlink_sendmsg+0x8de/0xcb0 net\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:09.541Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0d6460b9d2a3ee380940bdf47680751ef91cb88e"
        },
        {
          "url": "https://git.kernel.org/stable/c/56ec8580be5174b2b9774066e60f1aad56d201db"
        },
        {
          "url": "https://git.kernel.org/stable/c/edf6b543e81ba68c6dbac2499ab362098a5a9716"
        },
        {
          "url": "https://git.kernel.org/stable/c/1d6a9e7449e2a0c1e2934eee7880ba8bd1e464cd"
        }
      ],
      "title": "RDMA/core: Fix use-after-free when rename device name",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22085",
    "datePublished": "2025-04-16T14:12:33.821Z",
    "dateReserved": "2024-12-29T08:45:45.816Z",
    "dateUpdated": "2025-05-26T05:18:09.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21719 (GCVE-0-2025-21719)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:36

Title

ipmr: do not call mr_mfc_uses_dev() for unres entries

Summary

In the Linux kernel, the following vulnerability has been resolved: ipmr: do not call mr_mfc_uses_dev() for unres entries syzbot found that calling mr_mfc_uses_dev() for unres entries would crash [1], because c->mfc_un.res.minvif / c->mfc_un.res.maxvif alias to "struct sk_buff_head unresolved", which contain two pointers. This code never worked, lets remove it. [1] Unable to handle kernel paging request at virtual address ffff5fff2d536613 KASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f] Modules linked in: CPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline] lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334 Call trace: mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P) mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P) mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382 ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648 rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327 rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791 netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317 netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973 sock_recvmsg_nosec net/socket.c:1033 [inline] sock_recvmsg net/socket.c:1055 [inline] sock_read_iter+0x2d8/0x40c net/socket.c:1125 new_sync_read fs/read_write.c:484 [inline] vfs_read+0x740/0x970 fs/read_write.c:565 ksys_read+0x15c/0x26c fs/read_write.c:708

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec…
	https://git.kernel.org/stable/c/53df27fd38f84bd3c…
	https://git.kernel.org/stable/c/547ef7e8cbb98f966…
	https://git.kernel.org/stable/c/57177c5f47a8da852…
	https://git.kernel.org/stable/c/b379b3162ff55a704…
	https://git.kernel.org/stable/c/a099834a51ccf9bbb…
	https://git.kernel.org/stable/c/26bb7d991f04eeef4…
	https://git.kernel.org/stable/c/15a901361ec3fb1c3…

Impacted products

Vendor

Product

Version

Linux

Affected: cb167893f41e21e6bd283d78e53489289dc0592d , < 71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1 (git)
Affected: cb167893f41e21e6bd283d78e53489289dc0592d , < 53df27fd38f84bd3cd6b004eb4ff3c4903114f1d (git)
Affected: cb167893f41e21e6bd283d78e53489289dc0592d , < 547ef7e8cbb98f966c8719a3e15d4e078aaa9b47 (git)
Affected: cb167893f41e21e6bd283d78e53489289dc0592d , < 57177c5f47a8da852f8d76cf6945cf803f8bb9e5 (git)
Affected: cb167893f41e21e6bd283d78e53489289dc0592d , < b379b3162ff55a70464c6a934ae9bf0497478a62 (git)
Affected: cb167893f41e21e6bd283d78e53489289dc0592d , < a099834a51ccf9bbba3de86a251b3433539abfde (git)
Affected: cb167893f41e21e6bd283d78e53489289dc0592d , < 26bb7d991f04eeef47dfad23e533834995c26f7a (git)
Affected: cb167893f41e21e6bd283d78e53489289dc0592d , < 15a901361ec3fb1c393f91880e1cbf24ec0a88bd (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:16.326Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ipmr_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "53df27fd38f84bd3cd6b004eb4ff3c4903114f1d",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "547ef7e8cbb98f966c8719a3e15d4e078aaa9b47",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "57177c5f47a8da852f8d76cf6945cf803f8bb9e5",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "b379b3162ff55a70464c6a934ae9bf0497478a62",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "a099834a51ccf9bbba3de86a251b3433539abfde",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "26bb7d991f04eeef47dfad23e533834995c26f7a",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            },
            {
              "lessThan": "15a901361ec3fb1c393f91880e1cbf24ec0a88bd",
              "status": "affected",
              "version": "cb167893f41e21e6bd283d78e53489289dc0592d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/ipmr_base.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipmr: do not call mr_mfc_uses_dev() for unres entries\n\nsyzbot found that calling mr_mfc_uses_dev() for unres entries\nwould crash [1], because c-\u003emfc_un.res.minvif / c-\u003emfc_un.res.maxvif\nalias to \"struct sk_buff_head unresolved\", which contain two pointers.\n\nThis code never worked, lets remove it.\n\n[1]\nUnable to handle kernel paging request at virtual address ffff5fff2d536613\nKASAN: maybe wild-memory-access in range [0xfffefff96a9b3098-0xfffefff96a9b309f]\nModules linked in:\nCPU: 1 UID: 0 PID: 7321 Comm: syz.0.16 Not tainted 6.13.0-rc7-syzkaller-g1950a0af2d55 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\npstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n pc : mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline]\n pc : mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334\n lr : mr_mfc_uses_dev net/ipv4/ipmr_base.c:289 [inline]\n lr : mr_table_dump+0x694/0x8b0 net/ipv4/ipmr_base.c:334\nCall trace:\n  mr_mfc_uses_dev net/ipv4/ipmr_base.c:290 [inline] (P)\n  mr_table_dump+0x5a4/0x8b0 net/ipv4/ipmr_base.c:334 (P)\n  mr_rtm_dumproute+0x254/0x454 net/ipv4/ipmr_base.c:382\n  ipmr_rtm_dumproute+0x248/0x4b4 net/ipv4/ipmr.c:2648\n  rtnl_dump_all+0x2e4/0x4e8 net/core/rtnetlink.c:4327\n  rtnl_dumpit+0x98/0x1d0 net/core/rtnetlink.c:6791\n  netlink_dump+0x4f0/0xbc0 net/netlink/af_netlink.c:2317\n  netlink_recvmsg+0x56c/0xe64 net/netlink/af_netlink.c:1973\n  sock_recvmsg_nosec net/socket.c:1033 [inline]\n  sock_recvmsg net/socket.c:1055 [inline]\n  sock_read_iter+0x2d8/0x40c net/socket.c:1125\n  new_sync_read fs/read_write.c:484 [inline]\n  vfs_read+0x740/0x970 fs/read_write.c:565\n  ksys_read+0x15c/0x26c fs/read_write.c:708"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:43.300Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/71a0fcb68c0a5f3ec912b540cd5d72148e6ee5f1"
        },
        {
          "url": "https://git.kernel.org/stable/c/53df27fd38f84bd3cd6b004eb4ff3c4903114f1d"
        },
        {
          "url": "https://git.kernel.org/stable/c/547ef7e8cbb98f966c8719a3e15d4e078aaa9b47"
        },
        {
          "url": "https://git.kernel.org/stable/c/57177c5f47a8da852f8d76cf6945cf803f8bb9e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/b379b3162ff55a70464c6a934ae9bf0497478a62"
        },
        {
          "url": "https://git.kernel.org/stable/c/a099834a51ccf9bbba3de86a251b3433539abfde"
        },
        {
          "url": "https://git.kernel.org/stable/c/26bb7d991f04eeef47dfad23e533834995c26f7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/15a901361ec3fb1c393f91880e1cbf24ec0a88bd"
        }
      ],
      "title": "ipmr: do not call mr_mfc_uses_dev() for unres entries",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21719",
    "datePublished": "2025-02-27T02:07:28.573Z",
    "dateReserved": "2024-12-29T08:45:45.753Z",
    "dateUpdated": "2025-11-03T19:36:16.326Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-58095 (GCVE-0-2024-58095)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-05-26 05:16

Title

jfs: add check read-only before txBeginAnon() call

Summary

In the Linux kernel, the following vulnerability has been resolved: jfs: add check read-only before txBeginAnon() call Added a read-only check before calling `txBeginAnon` in `extAlloc` and `extRecord`. This prevents modification attempts on a read-only mounted filesystem, avoiding potential errors or crashes. Call trace: txBeginAnon+0xac/0x154 extAlloc+0xe8/0xdec fs/jfs/jfs_extent.c:78 jfs_get_block+0x340/0xb98 fs/jfs/inode.c:248 __block_write_begin_int+0x580/0x166c fs/buffer.c:2128 __block_write_begin fs/buffer.c:2177 [inline] block_write_begin+0x98/0x11c fs/buffer.c:2236 jfs_write_begin+0x44/0x88 fs/jfs/inode.c:299

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/15469c408af2d7a52…
	https://git.kernel.org/stable/c/0176e69743ecc0296…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 15469c408af2d7a52fb186a92f2f091b0f13b1fb (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0176e69743ecc02961f2ae1ea42439cd2bf9ed58 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_extent.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "15469c408af2d7a52fb186a92f2f091b0f13b1fb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0176e69743ecc02961f2ae1ea42439cd2bf9ed58",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/jfs/jfs_extent.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\njfs: add check read-only before txBeginAnon() call\n\nAdded a read-only check before calling `txBeginAnon` in `extAlloc`\nand `extRecord`. This prevents modification attempts on a read-only\nmounted filesystem, avoiding potential errors or crashes.\n\nCall trace:\n txBeginAnon+0xac/0x154\n extAlloc+0xe8/0xdec fs/jfs/jfs_extent.c:78\n jfs_get_block+0x340/0xb98 fs/jfs/inode.c:248\n __block_write_begin_int+0x580/0x166c fs/buffer.c:2128\n __block_write_begin fs/buffer.c:2177 [inline]\n block_write_begin+0x98/0x11c fs/buffer.c:2236\n jfs_write_begin+0x44/0x88 fs/jfs/inode.c:299"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:16:36.603Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/15469c408af2d7a52fb186a92f2f091b0f13b1fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/0176e69743ecc02961f2ae1ea42439cd2bf9ed58"
        }
      ],
      "title": "jfs: add check read-only before txBeginAnon() call",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58095",
    "datePublished": "2025-04-16T14:11:43.934Z",
    "dateReserved": "2025-03-06T15:52:09.188Z",
    "dateUpdated": "2025-05-26T05:16:36.603Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2023-52664 (GCVE-0-2023-52664)

Vulnerability from cvelistv5 – Published: 2024-05-17 13:45 – Updated: 2025-05-20 14:27

Title

net: atlantic: eliminate double free in error handling logic

Summary

In the Linux kernel, the following vulnerability has been resolved: net: atlantic: eliminate double free in error handling logic Driver has a logic leak in ring data allocation/free, where aq_ring_free could be called multiple times on same ring, if system is under stress and got memory allocation error. Ring pointer was used as an indicator of failure, but this is not correct since only ring data is allocated/deallocated. Ring itself is an array member. Changing ring allocation functions to return error code directly. This simplifies error handling and eliminates aq_ring_free on higher layer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0edb3ae8bfa31cd54…
	https://git.kernel.org/stable/c/c11a870a73a3bc4cc…
	https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49…
	https://git.kernel.org/stable/c/b3cb7a830a2452787…

Impacted products

Vendor

Product

Version

Linux

Affected: 018423e90bee8978105eaaa265a26e70637f9f1e , < 0edb3ae8bfa31cd544b0c195bdec00e036002b5d (git)
Affected: 018423e90bee8978105eaaa265a26e70637f9f1e , < c11a870a73a3bc4cc7df6dd877a45b181795fcbf (git)
Affected: 018423e90bee8978105eaaa265a26e70637f9f1e , < d1fde4a7e1dcc4d49cce285107a7a43c3030878d (git)
Affected: 018423e90bee8978105eaaa265a26e70637f9f1e , < b3cb7a830a24527877b0bc900b9bd74a96aea928 (git)

Linux

Affected: 4.11
Unaffected: 0 , < 4.11 (semver)
Unaffected: 6.1.77 , ≤ 6.1.* (semver)
Unaffected: 6.6.16 , ≤ 6.6.* (semver)
Unaffected: 6.7.4 , ≤ 6.7.* (semver)
Unaffected: 6.8 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T23:11:34.900Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-52664",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T15:42:18.912718Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:33:20.159Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/aquantia/atlantic/aq_ptp.c",
            "drivers/net/ethernet/aquantia/atlantic/aq_ring.c",
            "drivers/net/ethernet/aquantia/atlantic/aq_ring.h",
            "drivers/net/ethernet/aquantia/atlantic/aq_vec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0edb3ae8bfa31cd544b0c195bdec00e036002b5d",
              "status": "affected",
              "version": "018423e90bee8978105eaaa265a26e70637f9f1e",
              "versionType": "git"
            },
            {
              "lessThan": "c11a870a73a3bc4cc7df6dd877a45b181795fcbf",
              "status": "affected",
              "version": "018423e90bee8978105eaaa265a26e70637f9f1e",
              "versionType": "git"
            },
            {
              "lessThan": "d1fde4a7e1dcc4d49cce285107a7a43c3030878d",
              "status": "affected",
              "version": "018423e90bee8978105eaaa265a26e70637f9f1e",
              "versionType": "git"
            },
            {
              "lessThan": "b3cb7a830a24527877b0bc900b9bd74a96aea928",
              "status": "affected",
              "version": "018423e90bee8978105eaaa265a26e70637f9f1e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/aquantia/atlantic/aq_ptp.c",
            "drivers/net/ethernet/aquantia/atlantic/aq_ring.c",
            "drivers/net/ethernet/aquantia/atlantic/aq_ring.h",
            "drivers/net/ethernet/aquantia/atlantic/aq_vec.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.11"
            },
            {
              "lessThan": "4.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.77",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.7.*",
              "status": "unaffected",
              "version": "6.7.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.8",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.77",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.16",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.7.4",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8",
                  "versionStartIncluding": "4.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: atlantic: eliminate double free in error handling logic\n\nDriver has a logic leak in ring data allocation/free,\nwhere aq_ring_free could be called multiple times on same ring,\nif system is under stress and got memory allocation error.\n\nRing pointer was used as an indicator of failure, but this is\nnot correct since only ring data is allocated/deallocated.\nRing itself is an array member.\n\nChanging ring allocation functions to return error code directly.\nThis simplifies error handling and eliminates aq_ring_free\non higher layer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-20T14:27:31.461Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0edb3ae8bfa31cd544b0c195bdec00e036002b5d"
        },
        {
          "url": "https://git.kernel.org/stable/c/c11a870a73a3bc4cc7df6dd877a45b181795fcbf"
        },
        {
          "url": "https://git.kernel.org/stable/c/d1fde4a7e1dcc4d49cce285107a7a43c3030878d"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3cb7a830a24527877b0bc900b9bd74a96aea928"
        }
      ],
      "title": "net: atlantic: eliminate double free in error handling logic",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2023-52664",
    "datePublished": "2024-05-17T13:45:05.545Z",
    "dateReserved": "2024-03-07T14:49:46.885Z",
    "dateUpdated": "2025-05-20T14:27:31.461Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21748 (GCVE-0-2025-21748)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:12 – Updated: 2025-11-03 19:36

Title

ksmbd: fix integer overflows on 32 bit systems

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix integer overflows on 32 bit systems On 32bit systems the addition operations in ipc_msg_alloc() can potentially overflow leading to memory corruption. Add bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f3b9fb2764591d792…
	https://git.kernel.org/stable/c/760568c1f62ea874e…
	https://git.kernel.org/stable/c/82f59d64e6297f270…
	https://git.kernel.org/stable/c/b4b902737746c4902…
	https://git.kernel.org/stable/c/ecb9947fa7c99a77b…
	https://git.kernel.org/stable/c/aab98e2dbd648510f…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < f3b9fb2764591d792d160f375851013665a9e820 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 760568c1f62ea874e8fb492f9cfa4f47b4b8391e (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 82f59d64e6297f270311b16b5dcf65be406d1ea3 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < b4b902737746c490258de5cb55cab39e79927a67 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < ecb9947fa7c99a77b04d43404c6988a0d326e4a0 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < aab98e2dbd648510f8f51b83fbf4721206ccae45 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:51.420Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/transport_ipc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f3b9fb2764591d792d160f375851013665a9e820",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "760568c1f62ea874e8fb492f9cfa4f47b4b8391e",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "82f59d64e6297f270311b16b5dcf65be406d1ea3",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "b4b902737746c490258de5cb55cab39e79927a67",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "ecb9947fa7c99a77b04d43404c6988a0d326e4a0",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "aab98e2dbd648510f8f51b83fbf4721206ccae45",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/transport_ipc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix integer overflows on 32 bit systems\n\nOn 32bit systems the addition operations in ipc_msg_alloc() can\npotentially overflow leading to memory corruption.\nAdd bounds checking using KSMBD_IPC_MAX_PAYLOAD to avoid overflow."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:16.192Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f3b9fb2764591d792d160f375851013665a9e820"
        },
        {
          "url": "https://git.kernel.org/stable/c/760568c1f62ea874e8fb492f9cfa4f47b4b8391e"
        },
        {
          "url": "https://git.kernel.org/stable/c/82f59d64e6297f270311b16b5dcf65be406d1ea3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b4b902737746c490258de5cb55cab39e79927a67"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecb9947fa7c99a77b04d43404c6988a0d326e4a0"
        },
        {
          "url": "https://git.kernel.org/stable/c/aab98e2dbd648510f8f51b83fbf4721206ccae45"
        }
      ],
      "title": "ksmbd: fix integer overflows on 32 bit systems",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21748",
    "datePublished": "2025-02-27T02:12:19.705Z",
    "dateReserved": "2024-12-29T08:45:45.758Z",
    "dateUpdated": "2025-11-03T19:36:51.420Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37872 (GCVE-0-2025-37872)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:44 – Updated: 2025-05-26 05:22

Title

net: txgbe: fix memory leak in txgbe_probe() error path

Summary

In the Linux kernel, the following vulnerability has been resolved: net: txgbe: fix memory leak in txgbe_probe() error path When txgbe_sw_init() is called, memory is allocated for wx->rss_key in wx_init_rss_key(). However, in txgbe_probe() function, the subsequent error paths after txgbe_sw_init() don't free the rss_key. Fix that by freeing it in error path along with wx->mac_table. Also change the label to which execution jumps when txgbe_sw_init() fails, because otherwise, it could lead to a double free for rss_key, when the mac_table allocation fails in wx_sw_init().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/635863d93deb8e352…
	https://git.kernel.org/stable/c/837197a722919f5b0…
	https://git.kernel.org/stable/c/b2727326d0a537093…

Impacted products

Vendor

Product

Version

Linux

Affected: 937d46ecc5f941b26270bdf7ce37495f12b25955 , < 635863d93deb8e352d63a8eba852efeaf1ac3539 (git)
Affected: 937d46ecc5f941b26270bdf7ce37495f12b25955 , < 837197a722919f5b0eeb967fe7cb0cc1e83173b9 (git)
Affected: 937d46ecc5f941b26270bdf7ce37495f12b25955 , < b2727326d0a53709380aa147018085d71a6d4843 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/wangxun/txgbe/txgbe_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "635863d93deb8e352d63a8eba852efeaf1ac3539",
              "status": "affected",
              "version": "937d46ecc5f941b26270bdf7ce37495f12b25955",
              "versionType": "git"
            },
            {
              "lessThan": "837197a722919f5b0eeb967fe7cb0cc1e83173b9",
              "status": "affected",
              "version": "937d46ecc5f941b26270bdf7ce37495f12b25955",
              "versionType": "git"
            },
            {
              "lessThan": "b2727326d0a53709380aa147018085d71a6d4843",
              "status": "affected",
              "version": "937d46ecc5f941b26270bdf7ce37495f12b25955",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/wangxun/txgbe/txgbe_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: txgbe: fix memory leak in txgbe_probe() error path\n\nWhen txgbe_sw_init() is called, memory is allocated for wx-\u003erss_key\nin wx_init_rss_key(). However, in txgbe_probe() function, the subsequent\nerror paths after txgbe_sw_init() don\u0027t free the rss_key. Fix that by\nfreeing it in error path along with wx-\u003emac_table.\n\nAlso change the label to which execution jumps when txgbe_sw_init()\nfails, because otherwise, it could lead to a double free for rss_key,\nwhen the mac_table allocation fails in wx_sw_init()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:44.938Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/635863d93deb8e352d63a8eba852efeaf1ac3539"
        },
        {
          "url": "https://git.kernel.org/stable/c/837197a722919f5b0eeb967fe7cb0cc1e83173b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/b2727326d0a53709380aa147018085d71a6d4843"
        }
      ],
      "title": "net: txgbe: fix memory leak in txgbe_probe() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37872",
    "datePublished": "2025-05-09T06:44:00.570Z",
    "dateReserved": "2025-04-16T04:51:23.959Z",
    "dateUpdated": "2025-05-26T05:22:44.938Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37771 (GCVE-0-2025-37771)

Vulnerability from cvelistv5 – Published: 2025-05-01 13:07 – Updated: 2025-11-03 19:54

Title

drm/amd/pm: Prevent division by zero

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/pm: Prevent division by zero The user can set any speed value. If speed is greater than UINT_MAX/8, division by zero is possible. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b7c41df4913789ebf…
	https://git.kernel.org/stable/c/402964994e8ece297…
	https://git.kernel.org/stable/c/5096174074114f83c…
	https://git.kernel.org/stable/c/6413fed0162081715…
	https://git.kernel.org/stable/c/baa54adb5e0599299…
	https://git.kernel.org/stable/c/7d641c2b83275d3b0…

Impacted products

Vendor

Product

Version

Linux

Affected: b64625a303de727498f80f8cb9833fc615c0a90f , < b7c41df4913789ebfe73cc1e17c6401d4c5eab69 (git)
Affected: b64625a303de727498f80f8cb9833fc615c0a90f , < 402964994e8ece29702383b234fabcf04791ff95 (git)
Affected: b64625a303de727498f80f8cb9833fc615c0a90f , < 5096174074114f83c700a27869c54362cbb10f3e (git)
Affected: b64625a303de727498f80f8cb9833fc615c0a90f , < 6413fed016208171592c88b5df002af8a1387e24 (git)
Affected: b64625a303de727498f80f8cb9833fc615c0a90f , < baa54adb5e0599299b8f088efb5544d876a3eb62 (git)
Affected: b64625a303de727498f80f8cb9833fc615c0a90f , < 7d641c2b83275d3b0424127b2e0d2d0f7dd82aef (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:48.572Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b7c41df4913789ebfe73cc1e17c6401d4c5eab69",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "402964994e8ece29702383b234fabcf04791ff95",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "5096174074114f83c700a27869c54362cbb10f3e",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "6413fed016208171592c88b5df002af8a1387e24",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "baa54adb5e0599299b8f088efb5544d876a3eb62",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            },
            {
              "lessThan": "7d641c2b83275d3b0424127b2e0d2d0f7dd82aef",
              "status": "affected",
              "version": "b64625a303de727498f80f8cb9833fc615c0a90f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/swsmu/smu11/arcturus_ppt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/pm: Prevent division by zero\n\nThe user can set any speed value.\nIf speed is greater than UINT_MAX/8, division by zero is possible.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:32.135Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b7c41df4913789ebfe73cc1e17c6401d4c5eab69"
        },
        {
          "url": "https://git.kernel.org/stable/c/402964994e8ece29702383b234fabcf04791ff95"
        },
        {
          "url": "https://git.kernel.org/stable/c/5096174074114f83c700a27869c54362cbb10f3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6413fed016208171592c88b5df002af8a1387e24"
        },
        {
          "url": "https://git.kernel.org/stable/c/baa54adb5e0599299b8f088efb5544d876a3eb62"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d641c2b83275d3b0424127b2e0d2d0f7dd82aef"
        }
      ],
      "title": "drm/amd/pm: Prevent division by zero",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37771",
    "datePublished": "2025-05-01T13:07:11.517Z",
    "dateReserved": "2025-04-16T04:51:23.939Z",
    "dateUpdated": "2025-11-03T19:54:48.572Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21971 (GCVE-0-2025-21971)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-11-03 19:40

Title

net_sched: Prevent creation of classes with TC_H_ROOT

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: Prevent creation of classes with TC_H_ROOT The function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination condition when traversing up the qdisc tree to update parent backlog counters. However, if a class is created with classid TC_H_ROOT, the traversal terminates prematurely at this class instead of reaching the actual root qdisc, causing parent statistics to be incorrectly maintained. In case of DRR, this could lead to a crash as reported by Mingi Cho. Prevent the creation of any Qdisc class with classid TC_H_ROOT (0xFFFFFFFF) across all qdisc types, as suggested by Jamal.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e05d9938b1b0ac40b…
	https://git.kernel.org/stable/c/7a82fe67a9f4d7123…
	https://git.kernel.org/stable/c/003d92c91cdb5a64b…
	https://git.kernel.org/stable/c/e5ee00607bbfc97ef…
	https://git.kernel.org/stable/c/78533c4a29ac3aedd…
	https://git.kernel.org/stable/c/5c3ca9cb48b51bd72…
	https://git.kernel.org/stable/c/94edfdfb9505ab608…
	https://git.kernel.org/stable/c/0c3057a5a04d07120…

Impacted products

Vendor

Product

Version

Linux

Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 7a82fe67a9f4d7123d8e5ba8f0f0806c28695006 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 003d92c91cdb5a64b25a9a74cb8543aac9a8bb48 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 78533c4a29ac3aeddce4b481770beaaa4f3bfb67 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7 (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 94edfdfb9505ab608e86599d1d1e38c83816fc1c (git)
Affected: 066a3b5b2346febf9a655b444567b7138e3bb939 , < 0c3057a5a04d07120b3d0ec9c79568fceb9c921e (git)

Linux

Affected: 2.6.25
Unaffected: 0 , < 2.6.25 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:14.063Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "7a82fe67a9f4d7123d8e5ba8f0f0806c28695006",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "003d92c91cdb5a64b25a9a74cb8543aac9a8bb48",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "78533c4a29ac3aeddce4b481770beaaa4f3bfb67",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "94edfdfb9505ab608e86599d1d1e38c83816fc1c",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            },
            {
              "lessThan": "0c3057a5a04d07120b3d0ec9c79568fceb9c921e",
              "status": "affected",
              "version": "066a3b5b2346febf9a655b444567b7138e3bb939",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_api.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.25"
            },
            {
              "lessThan": "2.6.25",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.25",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: Prevent creation of classes with TC_H_ROOT\n\nThe function qdisc_tree_reduce_backlog() uses TC_H_ROOT as a termination\ncondition when traversing up the qdisc tree to update parent backlog\ncounters. However, if a class is created with classid TC_H_ROOT, the\ntraversal terminates prematurely at this class instead of reaching the\nactual root qdisc, causing parent statistics to be incorrectly maintained.\nIn case of DRR, this could lead to a crash as reported by Mingi Cho.\n\nPrevent the creation of any Qdisc class with classid TC_H_ROOT\n(0xFFFFFFFF) across all qdisc types, as suggested by Jamal."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:09.021Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e05d9938b1b0ac40b6054cc5fa0ccbd9afd5ed4c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a82fe67a9f4d7123d8e5ba8f0f0806c28695006"
        },
        {
          "url": "https://git.kernel.org/stable/c/003d92c91cdb5a64b25a9a74cb8543aac9a8bb48"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5ee00607bbfc97ef1526ea95b6b2458ac9e7cb7"
        },
        {
          "url": "https://git.kernel.org/stable/c/78533c4a29ac3aeddce4b481770beaaa4f3bfb67"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c3ca9cb48b51bd72bf76b8b05e24f3cd53db5e7"
        },
        {
          "url": "https://git.kernel.org/stable/c/94edfdfb9505ab608e86599d1d1e38c83816fc1c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c3057a5a04d07120b3d0ec9c79568fceb9c921e"
        }
      ],
      "title": "net_sched: Prevent creation of classes with TC_H_ROOT",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21971",
    "datePublished": "2025-04-01T15:47:04.448Z",
    "dateReserved": "2024-12-29T08:45:45.797Z",
    "dateUpdated": "2025-11-03T19:40:14.063Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37761 (GCVE-0-2025-37761)

Vulnerability from cvelistv5 – Published: 2025-05-01 13:07 – Updated: 2025-05-26 05:20

Title

drm/xe: Fix an out-of-bounds shift when invalidating TLB

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/xe: Fix an out-of-bounds shift when invalidating TLB When the size of the range invalidated is larger than rounddown_pow_of_two(ULONG_MAX), The function macro roundup_pow_of_two(length) will hit an out-of-bounds shift [1]. Use a full TLB invalidation for such cases. v2: - Use a define for the range size limit over which we use a full TLB invalidation. (Lucas) - Use a better calculation of the limit. [1]: [ 39.202421] ------------[ cut here ]------------ [ 39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13 [ 39.202673] shift exponent 64 is too large for 64-bit type 'long unsigned int' [ 39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G U 6.14.0+ #10 [ 39.202690] Tainted: [U]=USER [ 39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023 [ 39.202691] Call Trace: [ 39.202692] <TASK> [ 39.202695] dump_stack_lvl+0x6e/0xa0 [ 39.202699] ubsan_epilogue+0x5/0x30 [ 39.202701] __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6 [ 39.202705] xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe] [ 39.202800] ? find_held_lock+0x2b/0x80 [ 39.202803] ? mark_held_locks+0x40/0x70 [ 39.202806] xe_svm_invalidate+0x459/0x700 [xe] [ 39.202897] drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm] [ 39.202900] __mmu_notifier_release+0x1f5/0x270 [ 39.202905] exit_mmap+0x40e/0x450 [ 39.202912] __mmput+0x45/0x110 [ 39.202914] exit_mm+0xc5/0x130 [ 39.202916] do_exit+0x21c/0x500 [ 39.202918] ? lockdep_hardirqs_on_prepare+0xdb/0x190 [ 39.202920] do_group_exit+0x36/0xa0 [ 39.202922] get_signal+0x8f8/0x900 [ 39.202926] arch_do_signal_or_restart+0x35/0x100 [ 39.202930] syscall_exit_to_user_mode+0x1fc/0x290 [ 39.202932] do_syscall_64+0xa1/0x180 [ 39.202934] ? do_user_addr_fault+0x59f/0x8a0 [ 39.202937] ? lock_release+0xd2/0x2a0 [ 39.202939] ? do_user_addr_fault+0x5a9/0x8a0 [ 39.202942] ? trace_hardirqs_off+0x4b/0xc0 [ 39.202944] ? clear_bhb_loop+0x25/0x80 [ 39.202946] ? clear_bhb_loop+0x25/0x80 [ 39.202947] ? clear_bhb_loop+0x25/0x80 [ 39.202950] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 39.202952] RIP: 0033:0x7fa945e543e1 [ 39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7. [ 39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293 [ 39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3 [ 39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff [ 39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0 [ 39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000 [ 39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000 [ 39.202970] </TASK> [ 39.202970] ---[ end trace ]--- (cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad)

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/28477f701b63922ff…
	https://git.kernel.org/stable/c/e4715858f87b78ce5…
	https://git.kernel.org/stable/c/7bcfeddb36b77f9fe…

Impacted products

Vendor

Product

Version

Linux

Affected: 332dd0116c82a75df175a459fa69dda3f23491a7 , < 28477f701b63922ff88e9fb13f5519c11cd48b86 (git)
Affected: 332dd0116c82a75df175a459fa69dda3f23491a7 , < e4715858f87b78ce58cfa03bbe140321edbbaf20 (git)
Affected: 332dd0116c82a75df175a459fa69dda3f23491a7 , < 7bcfeddb36b77f9fe3b010bb0b282b7618420bba (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "28477f701b63922ff88e9fb13f5519c11cd48b86",
              "status": "affected",
              "version": "332dd0116c82a75df175a459fa69dda3f23491a7",
              "versionType": "git"
            },
            {
              "lessThan": "e4715858f87b78ce58cfa03bbe140321edbbaf20",
              "status": "affected",
              "version": "332dd0116c82a75df175a459fa69dda3f23491a7",
              "versionType": "git"
            },
            {
              "lessThan": "7bcfeddb36b77f9fe3b010bb0b282b7618420bba",
              "status": "affected",
              "version": "332dd0116c82a75df175a459fa69dda3f23491a7",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/xe/xe_gt_tlb_invalidation.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/xe: Fix an out-of-bounds shift when invalidating TLB\n\nWhen the size of the range invalidated is larger than\nrounddown_pow_of_two(ULONG_MAX),\nThe function macro roundup_pow_of_two(length) will hit an out-of-bounds\nshift [1].\n\nUse a full TLB invalidation for such cases.\nv2:\n- Use a define for the range size limit over which we use a full\n  TLB invalidation. (Lucas)\n- Use a better calculation of the limit.\n\n[1]:\n[   39.202421] ------------[ cut here ]------------\n[   39.202657] UBSAN: shift-out-of-bounds in ./include/linux/log2.h:57:13\n[   39.202673] shift exponent 64 is too large for 64-bit type \u0027long unsigned int\u0027\n[   39.202688] CPU: 8 UID: 0 PID: 3129 Comm: xe_exec_system_ Tainted: G     U             6.14.0+ #10\n[   39.202690] Tainted: [U]=USER\n[   39.202690] Hardware name: ASUS System Product Name/PRIME B560M-A AC, BIOS 2001 02/01/2023\n[   39.202691] Call Trace:\n[   39.202692]  \u003cTASK\u003e\n[   39.202695]  dump_stack_lvl+0x6e/0xa0\n[   39.202699]  ubsan_epilogue+0x5/0x30\n[   39.202701]  __ubsan_handle_shift_out_of_bounds.cold+0x61/0xe6\n[   39.202705]  xe_gt_tlb_invalidation_range.cold+0x1d/0x3a [xe]\n[   39.202800]  ? find_held_lock+0x2b/0x80\n[   39.202803]  ? mark_held_locks+0x40/0x70\n[   39.202806]  xe_svm_invalidate+0x459/0x700 [xe]\n[   39.202897]  drm_gpusvm_notifier_invalidate+0x4d/0x70 [drm_gpusvm]\n[   39.202900]  __mmu_notifier_release+0x1f5/0x270\n[   39.202905]  exit_mmap+0x40e/0x450\n[   39.202912]  __mmput+0x45/0x110\n[   39.202914]  exit_mm+0xc5/0x130\n[   39.202916]  do_exit+0x21c/0x500\n[   39.202918]  ? lockdep_hardirqs_on_prepare+0xdb/0x190\n[   39.202920]  do_group_exit+0x36/0xa0\n[   39.202922]  get_signal+0x8f8/0x900\n[   39.202926]  arch_do_signal_or_restart+0x35/0x100\n[   39.202930]  syscall_exit_to_user_mode+0x1fc/0x290\n[   39.202932]  do_syscall_64+0xa1/0x180\n[   39.202934]  ? do_user_addr_fault+0x59f/0x8a0\n[   39.202937]  ? lock_release+0xd2/0x2a0\n[   39.202939]  ? do_user_addr_fault+0x5a9/0x8a0\n[   39.202942]  ? trace_hardirqs_off+0x4b/0xc0\n[   39.202944]  ? clear_bhb_loop+0x25/0x80\n[   39.202946]  ? clear_bhb_loop+0x25/0x80\n[   39.202947]  ? clear_bhb_loop+0x25/0x80\n[   39.202950]  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n[   39.202952] RIP: 0033:0x7fa945e543e1\n[   39.202961] Code: Unable to access opcode bytes at 0x7fa945e543b7.\n[   39.202962] RSP: 002b:00007ffca8fb4170 EFLAGS: 00000293\n[   39.202963] RAX: 000000000000003d RBX: 0000000000000000 RCX: 00007fa945e543e3\n[   39.202964] RDX: 0000000000000000 RSI: 00007ffca8fb41ac RDI: 00000000ffffffff\n[   39.202964] RBP: 00007ffca8fb4190 R08: 0000000000000000 R09: 00007fa945f600a0\n[   39.202965] R10: 0000000000000000 R11: 0000000000000293 R12: 0000000000000000\n[   39.202966] R13: 00007fa9460dd310 R14: 00007ffca8fb41ac R15: 0000000000000000\n[   39.202970]  \u003c/TASK\u003e\n[   39.202970] ---[ end trace ]---\n\n(cherry picked from commit b88f48f86500bc0b44b4f73ac66d500a40d320ad)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:18.674Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/28477f701b63922ff88e9fb13f5519c11cd48b86"
        },
        {
          "url": "https://git.kernel.org/stable/c/e4715858f87b78ce58cfa03bbe140321edbbaf20"
        },
        {
          "url": "https://git.kernel.org/stable/c/7bcfeddb36b77f9fe3b010bb0b282b7618420bba"
        }
      ],
      "title": "drm/xe: Fix an out-of-bounds shift when invalidating TLB",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37761",
    "datePublished": "2025-05-01T13:07:03.389Z",
    "dateReserved": "2025-04-16T04:51:23.938Z",
    "dateUpdated": "2025-05-26T05:20:18.674Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58007 (GCVE-0-2024-58007)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:12 – Updated: 2025-11-03 19:33

Title

soc: qcom: socinfo: Avoid out of bounds read of serial number

Summary

In the Linux kernel, the following vulnerability has been resolved: soc: qcom: socinfo: Avoid out of bounds read of serial number On MSM8916 devices, the serial number exposed in sysfs is constant and does not change across individual devices. It's always: db410c:/sys/devices/soc0$ cat serial_number 2644893864 The firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not have support for the serial_num field in the socinfo struct. There is an existing check to avoid exposing the serial number in that case, but it's not correct: When checking the item_size returned by SMEM, we need to make sure the *end* of the serial_num is within bounds, instead of comparing with the *start* offset. The serial_number currently exposed on MSM8916 devices is just an out of bounds read of whatever comes after the socinfo struct in SMEM. Fix this by changing offsetof() to offsetofend(), so that the size of the field is also taken into account.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7445fa05317534bbd…
	https://git.kernel.org/stable/c/2495c6598731b6d7f…
	https://git.kernel.org/stable/c/2d09d3c9afa2fc422…
	https://git.kernel.org/stable/c/9c88b3a3fae4d6064…
	https://git.kernel.org/stable/c/47470acd719d45c4c…
	https://git.kernel.org/stable/c/407c928305c1a3723…
	https://git.kernel.org/stable/c/0a92feddae0634a0b…
	https://git.kernel.org/stable/c/22cf4fae6660b6e1a…

Impacted products

Vendor

Product

Version

Linux

Affected: efb448d0a3fca01bb987dd70963da6185b81751e , < 7445fa05317534bbd8b373c0eff8319187916030 (git)
Affected: efb448d0a3fca01bb987dd70963da6185b81751e , < 2495c6598731b6d7f565140f2bd63ef4bc36ce7d (git)
Affected: efb448d0a3fca01bb987dd70963da6185b81751e , < 2d09d3c9afa2fc422ac3df7c9b8534f350ee19dd (git)
Affected: efb448d0a3fca01bb987dd70963da6185b81751e , < 9c88b3a3fae4d60641c3a45be66269d00eff33cd (git)
Affected: efb448d0a3fca01bb987dd70963da6185b81751e , < 47470acd719d45c4c8c418c07962f74cc995652b (git)
Affected: efb448d0a3fca01bb987dd70963da6185b81751e , < 407c928305c1a37232a63811c400ef616f85ccbc (git)
Affected: efb448d0a3fca01bb987dd70963da6185b81751e , < 0a92feddae0634a0b87c04b19d343f6af97af700 (git)
Affected: efb448d0a3fca01bb987dd70963da6185b81751e , < 22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0 (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:33:21.429Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/socinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7445fa05317534bbd8b373c0eff8319187916030",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "2495c6598731b6d7f565140f2bd63ef4bc36ce7d",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "2d09d3c9afa2fc422ac3df7c9b8534f350ee19dd",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "9c88b3a3fae4d60641c3a45be66269d00eff33cd",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "47470acd719d45c4c8c418c07962f74cc995652b",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "407c928305c1a37232a63811c400ef616f85ccbc",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "0a92feddae0634a0b87c04b19d343f6af97af700",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            },
            {
              "lessThan": "22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0",
              "status": "affected",
              "version": "efb448d0a3fca01bb987dd70963da6185b81751e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/soc/qcom/socinfo.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsoc: qcom: socinfo: Avoid out of bounds read of serial number\n\nOn MSM8916 devices, the serial number exposed in sysfs is constant and does\nnot change across individual devices. It\u0027s always:\n\n  db410c:/sys/devices/soc0$ cat serial_number\n  2644893864\n\nThe firmware used on MSM8916 exposes SOCINFO_VERSION(0, 8), which does not\nhave support for the serial_num field in the socinfo struct. There is an\nexisting check to avoid exposing the serial number in that case, but it\u0027s\nnot correct: When checking the item_size returned by SMEM, we need to make\nsure the *end* of the serial_num is within bounds, instead of comparing\nwith the *start* offset. The serial_number currently exposed on MSM8916\ndevices is just an out of bounds read of whatever comes after the socinfo\nstruct in SMEM.\n\nFix this by changing offsetof() to offsetofend(), so that the size of the\nfield is also taken into account."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:08:16.807Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7445fa05317534bbd8b373c0eff8319187916030"
        },
        {
          "url": "https://git.kernel.org/stable/c/2495c6598731b6d7f565140f2bd63ef4bc36ce7d"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d09d3c9afa2fc422ac3df7c9b8534f350ee19dd"
        },
        {
          "url": "https://git.kernel.org/stable/c/9c88b3a3fae4d60641c3a45be66269d00eff33cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/47470acd719d45c4c8c418c07962f74cc995652b"
        },
        {
          "url": "https://git.kernel.org/stable/c/407c928305c1a37232a63811c400ef616f85ccbc"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a92feddae0634a0b87c04b19d343f6af97af700"
        },
        {
          "url": "https://git.kernel.org/stable/c/22cf4fae6660b6e1a583a41cbf84e3046ca9ccd0"
        }
      ],
      "title": "soc: qcom: socinfo: Avoid out of bounds read of serial number",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58007",
    "datePublished": "2025-02-27T02:12:03.593Z",
    "dateReserved": "2025-02-27T02:10:48.227Z",
    "dateUpdated": "2025-11-03T19:33:21.429Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21974 (GCVE-0-2025-21974)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-05-04 07:26

Title

eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc()

Summary

In the Linux kernel, the following vulnerability has been resolved: eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc() The bnxt_queue_mem_alloc() is called to allocate new queue memory when a queue is restarted. It internally accesses rx buffer descriptor corresponding to the index. The rx buffer descriptor is allocated and set when the interface is up and it's freed when the interface is down. So, if queue is restarted if interface is down, kernel panic occurs. Splat looks like: BUG: unable to handle page fault for address: 000000000000b240 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 3 UID: 0 PID: 1563 Comm: ncdevmem2 Not tainted 6.14.0-rc2+ #9 844ddba6e7c459cafd0bf4db9a3198e Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021 RIP: 0010:bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en] Code: 41 54 4d 89 c4 4d 69 c0 c0 05 00 00 55 48 89 f5 53 48 89 fb 4c 8d b5 40 05 00 00 48 83 ec 15 RSP: 0018:ffff9dcc83fef9e8 EFLAGS: 00010202 RAX: ffffffffc0457720 RBX: ffff934ed8d40000 RCX: 0000000000000000 RDX: 000000000000001f RSI: ffff934ea508f800 RDI: ffff934ea508f808 RBP: ffff934ea508f800 R08: 000000000000b240 R09: ffff934e84f4b000 R10: ffff9dcc83fefa30 R11: ffff934e84f4b000 R12: 000000000000001f R13: ffff934ed8d40ac0 R14: ffff934ea508fd40 R15: ffff934e84f4b000 FS: 00007fa73888c740(0000) GS:ffff93559f780000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000b240 CR3: 0000000145a2e000 CR4: 00000000007506f0 PKRU: 55555554 Call Trace: <TASK> ? __die+0x20/0x70 ? page_fault_oops+0x15a/0x460 ? exc_page_fault+0x6e/0x180 ? asm_exc_page_fault+0x22/0x30 ? __pfx_bnxt_queue_mem_alloc+0x10/0x10 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7] ? bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7] netdev_rx_queue_restart+0xc5/0x240 net_devmem_bind_dmabuf_to_queue+0xf8/0x200 netdev_nl_bind_rx_doit+0x3a7/0x450 genl_family_rcv_msg_doit+0xd9/0x130 genl_rcv_msg+0x184/0x2b0 ? __pfx_netdev_nl_bind_rx_doit+0x10/0x10 ? __pfx_genl_rcv_msg+0x10/0x10 netlink_rcv_skb+0x54/0x100 genl_rcv+0x24/0x40 ...

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/14eb5f0d6554653f4…
	https://git.kernel.org/stable/c/d3b8cd8a8a98c7c83…
	https://git.kernel.org/stable/c/ca2456e073957781e…

Impacted products

Vendor

Product

Version

Linux

Affected: 2d694c27d32efc9467a8a20e4ad641ab5adfd07d , < 14eb5f0d6554653f4b159835c2f77b2a9bd7e9be (git)
Affected: 2d694c27d32efc9467a8a20e4ad641ab5adfd07d , < d3b8cd8a8a98c7c83a693bd651f1919be36a57f2 (git)
Affected: 2d694c27d32efc9467a8a20e4ad641ab5adfd07d , < ca2456e073957781e1184de68551c65161b2bd30 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "14eb5f0d6554653f4b159835c2f77b2a9bd7e9be",
              "status": "affected",
              "version": "2d694c27d32efc9467a8a20e4ad641ab5adfd07d",
              "versionType": "git"
            },
            {
              "lessThan": "d3b8cd8a8a98c7c83a693bd651f1919be36a57f2",
              "status": "affected",
              "version": "2d694c27d32efc9467a8a20e4ad641ab5adfd07d",
              "versionType": "git"
            },
            {
              "lessThan": "ca2456e073957781e1184de68551c65161b2bd30",
              "status": "affected",
              "version": "2d694c27d32efc9467a8a20e4ad641ab5adfd07d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/broadcom/bnxt/bnxt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\neth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc()\n\nThe bnxt_queue_mem_alloc() is called to allocate new queue memory when\na queue is restarted.\nIt internally accesses rx buffer descriptor corresponding to the index.\nThe rx buffer descriptor is allocated and set when the interface is up\nand it\u0027s freed when the interface is down.\nSo, if queue is restarted if interface is down, kernel panic occurs.\n\nSplat looks like:\n BUG: unable to handle page fault for address: 000000000000b240\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 3 UID: 0 PID: 1563 Comm: ncdevmem2 Not tainted 6.14.0-rc2+ #9 844ddba6e7c459cafd0bf4db9a3198e\n Hardware name: ASUS System Product Name/PRIME Z690-P D4, BIOS 0603 11/01/2021\n RIP: 0010:bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en]\n Code: 41 54 4d 89 c4 4d 69 c0 c0 05 00 00 55 48 89 f5 53 48 89 fb 4c 8d b5 40 05 00 00 48 83 ec 15\n RSP: 0018:ffff9dcc83fef9e8 EFLAGS: 00010202\n RAX: ffffffffc0457720 RBX: ffff934ed8d40000 RCX: 0000000000000000\n RDX: 000000000000001f RSI: ffff934ea508f800 RDI: ffff934ea508f808\n RBP: ffff934ea508f800 R08: 000000000000b240 R09: ffff934e84f4b000\n R10: ffff9dcc83fefa30 R11: ffff934e84f4b000 R12: 000000000000001f\n R13: ffff934ed8d40ac0 R14: ffff934ea508fd40 R15: ffff934e84f4b000\n FS:  00007fa73888c740(0000) GS:ffff93559f780000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 000000000000b240 CR3: 0000000145a2e000 CR4: 00000000007506f0\n PKRU: 55555554\n Call Trace:\n  \u003cTASK\u003e\n  ? __die+0x20/0x70\n  ? page_fault_oops+0x15a/0x460\n  ? exc_page_fault+0x6e/0x180\n  ? asm_exc_page_fault+0x22/0x30\n  ? __pfx_bnxt_queue_mem_alloc+0x10/0x10 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7]\n  ? bnxt_queue_mem_alloc+0x3f/0x4e0 [bnxt_en 7f85e76f4d724ba07471d7e39d9e773aea6597b7]\n  netdev_rx_queue_restart+0xc5/0x240\n  net_devmem_bind_dmabuf_to_queue+0xf8/0x200\n  netdev_nl_bind_rx_doit+0x3a7/0x450\n  genl_family_rcv_msg_doit+0xd9/0x130\n  genl_rcv_msg+0x184/0x2b0\n  ? __pfx_netdev_nl_bind_rx_doit+0x10/0x10\n  ? __pfx_genl_rcv_msg+0x10/0x10\n  netlink_rcv_skb+0x54/0x100\n  genl_rcv+0x24/0x40\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:26:17.738Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/14eb5f0d6554653f4b159835c2f77b2a9bd7e9be"
        },
        {
          "url": "https://git.kernel.org/stable/c/d3b8cd8a8a98c7c83a693bd651f1919be36a57f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca2456e073957781e1184de68551c65161b2bd30"
        }
      ],
      "title": "eth: bnxt: return fail if interface is down in bnxt_queue_mem_alloc()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21974",
    "datePublished": "2025-04-01T15:47:06.055Z",
    "dateReserved": "2024-12-29T08:45:45.797Z",
    "dateUpdated": "2025-05-04T07:26:17.738Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21937 (GCVE-0-2025-21937)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()

Summary

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name() Add check for the return value of mgmt_alloc_skb() in mgmt_remote_name() to prevent null pointer dereference.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/37785a01040cb5d11…
	https://git.kernel.org/stable/c/c5845c73cbacf5704…
	https://git.kernel.org/stable/c/88310caff68ae69d0…
	https://git.kernel.org/stable/c/69fb168b88e4d62cb…
	https://git.kernel.org/stable/c/f2176a07e7b19f73e…

Impacted products

Vendor

Product

Version

Linux

Affected: ba17bb62ce415950753c19d16bb43b2bd3701158 , < 37785a01040cb5d11ed0ddbcbf78491fcd073161 (git)
Affected: ba17bb62ce415950753c19d16bb43b2bd3701158 , < c5845c73cbacf5704169283ef29ca02031a36564 (git)
Affected: ba17bb62ce415950753c19d16bb43b2bd3701158 , < 88310caff68ae69d0574859f7926a59c1da2d60b (git)
Affected: ba17bb62ce415950753c19d16bb43b2bd3701158 , < 69fb168b88e4d62cb31cdd725b67ccc5216cfcaf (git)
Affected: ba17bb62ce415950753c19d16bb43b2bd3701158 , < f2176a07e7b19f73e05c805cf3d130a2999154cb (git)
Affected: 0f526a6d3e9347d94c2c0b5292a3cb3b25115019 (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21937",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:22:11.013258Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:32.809Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:36.194Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "37785a01040cb5d11ed0ddbcbf78491fcd073161",
              "status": "affected",
              "version": "ba17bb62ce415950753c19d16bb43b2bd3701158",
              "versionType": "git"
            },
            {
              "lessThan": "c5845c73cbacf5704169283ef29ca02031a36564",
              "status": "affected",
              "version": "ba17bb62ce415950753c19d16bb43b2bd3701158",
              "versionType": "git"
            },
            {
              "lessThan": "88310caff68ae69d0574859f7926a59c1da2d60b",
              "status": "affected",
              "version": "ba17bb62ce415950753c19d16bb43b2bd3701158",
              "versionType": "git"
            },
            {
              "lessThan": "69fb168b88e4d62cb31cdd725b67ccc5216cfcaf",
              "status": "affected",
              "version": "ba17bb62ce415950753c19d16bb43b2bd3701158",
              "versionType": "git"
            },
            {
              "lessThan": "f2176a07e7b19f73e05c805cf3d130a2999154cb",
              "status": "affected",
              "version": "ba17bb62ce415950753c19d16bb43b2bd3701158",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "0f526a6d3e9347d94c2c0b5292a3cb3b25115019",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/bluetooth/mgmt.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.17.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nBluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()\n\nAdd check for the return value of mgmt_alloc_skb() in\nmgmt_remote_name() to prevent null pointer dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:48.173Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/37785a01040cb5d11ed0ddbcbf78491fcd073161"
        },
        {
          "url": "https://git.kernel.org/stable/c/c5845c73cbacf5704169283ef29ca02031a36564"
        },
        {
          "url": "https://git.kernel.org/stable/c/88310caff68ae69d0574859f7926a59c1da2d60b"
        },
        {
          "url": "https://git.kernel.org/stable/c/69fb168b88e4d62cb31cdd725b67ccc5216cfcaf"
        },
        {
          "url": "https://git.kernel.org/stable/c/f2176a07e7b19f73e05c805cf3d130a2999154cb"
        }
      ],
      "title": "Bluetooth: Add check for mgmt_alloc_skb() in mgmt_remote_name()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21937",
    "datePublished": "2025-04-01T15:41:04.378Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-11-03T19:39:36.194Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37828 (GCVE-0-2025-37828)

Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2025-05-26 05:21

Title

scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort() A race can occur between the MCQ completion path and the abort handler: once a request completes, __blk_mq_free_request() sets rq->mq_hctx to NULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in ufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is dereferenced, the kernel will crash. Add a NULL check for the returned hwq pointer. If hwq is NULL, log an error and return FAILED, preventing a potential NULL-pointer dereference. As suggested by Bart, the ufshcd_cmd_inflight() check is removed. This is similar to the fix in commit 74736103fb41 ("scsi: ufs: core: Fix ufshcd_abort_one racing issue"). This is found by our static analysis tool KNighter.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d6979fabe812a168d…
	https://git.kernel.org/stable/c/7d002f591486f5ef4…
	https://git.kernel.org/stable/c/47eec518aef3814f6…
	https://git.kernel.org/stable/c/4c324085062919d4e…

Impacted products

Vendor

Product

Version

Linux

Affected: f1304d4420777f82a1d844c606db3d9eca841765 , < d6979fabe812a168d5053e5a41d5a2e9b8afd7bf (git)
Affected: f1304d4420777f82a1d844c606db3d9eca841765 , < 7d002f591486f5ef4bc02eb02025a53f931f0eb5 (git)
Affected: f1304d4420777f82a1d844c606db3d9eca841765 , < 47eec518aef3814f64a5da43df81bdd74d8c0041 (git)
Affected: f1304d4420777f82a1d844c606db3d9eca841765 , < 4c324085062919d4e21c69e5e78456dcec0052fe (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufs-mcq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d6979fabe812a168d5053e5a41d5a2e9b8afd7bf",
              "status": "affected",
              "version": "f1304d4420777f82a1d844c606db3d9eca841765",
              "versionType": "git"
            },
            {
              "lessThan": "7d002f591486f5ef4bc02eb02025a53f931f0eb5",
              "status": "affected",
              "version": "f1304d4420777f82a1d844c606db3d9eca841765",
              "versionType": "git"
            },
            {
              "lessThan": "47eec518aef3814f64a5da43df81bdd74d8c0041",
              "status": "affected",
              "version": "f1304d4420777f82a1d844c606db3d9eca841765",
              "versionType": "git"
            },
            {
              "lessThan": "4c324085062919d4e21c69e5e78456dcec0052fe",
              "status": "affected",
              "version": "f1304d4420777f82a1d844c606db3d9eca841765",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/ufs/core/ufs-mcq.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()\n\nA race can occur between the MCQ completion path and the abort handler:\nonce a request completes, __blk_mq_free_request() sets rq-\u003emq_hctx to\nNULL, meaning the subsequent ufshcd_mcq_req_to_hwq() call in\nufshcd_mcq_abort() can return a NULL pointer. If this NULL pointer is\ndereferenced, the kernel will crash.\n\nAdd a NULL check for the returned hwq pointer. If hwq is NULL, log an\nerror and return FAILED, preventing a potential NULL-pointer\ndereference.  As suggested by Bart, the ufshcd_cmd_inflight() check is\nremoved.\n\nThis is similar to the fix in commit 74736103fb41 (\"scsi: ufs: core: Fix\nufshcd_abort_one racing issue\").\n\nThis is found by our static analysis tool KNighter."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:45.612Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d6979fabe812a168d5053e5a41d5a2e9b8afd7bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d002f591486f5ef4bc02eb02025a53f931f0eb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/47eec518aef3814f64a5da43df81bdd74d8c0041"
        },
        {
          "url": "https://git.kernel.org/stable/c/4c324085062919d4e21c69e5e78456dcec0052fe"
        }
      ],
      "title": "scsi: ufs: mcq: Add NULL check in ufshcd_mcq_abort()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37828",
    "datePublished": "2025-05-08T06:26:20.135Z",
    "dateReserved": "2025-04-16T04:51:23.950Z",
    "dateUpdated": "2025-05-26T05:21:45.612Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21959 (GCVE-0-2025-21959)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2025-11-03 19:40

Title

netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() Since commit b36e4523d4d5 ("netfilter: nf_conncount: fix garbage collection confirm race"), `cpu` and `jiffies32` were introduced to the struct nf_conncount_tuple. The commit made nf_conncount_add() initialize `conn->cpu` and `conn->jiffies32` when allocating the struct. In contrast, count_tree() was not changed to initialize them. By commit 34848d5c896e ("netfilter: nf_conncount: Split insert and traversal"), count_tree() was split and the relevant allocation code now resides in insert_tree(). Initialize `conn->cpu` and `conn->jiffies32` in insert_tree(). BUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline] BUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 find_or_evict net/netfilter/nf_conncount.c:117 [inline] __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143 count_tree net/netfilter/nf_conncount.c:438 [inline] nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669 __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline] __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983 __netif_receive_skb_list net/core/dev.c:6035 [inline] netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126 netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178 xdp_recv_frames net/bpf/test_run.c:280 [inline] xdp_test_run_batch net/bpf/test_run.c:361 [inline] bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390 bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316 bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407 __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813 __do_sys_bpf kernel/bpf/syscall.c:5902 [inline] __se_sys_bpf kernel/bpf/syscall.c:5900 [inline] __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900 ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358 do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline] __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387 do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412 do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450 entry_SYSENTER_compat_after_hwframe+0x84/0x8e Uninit was created at: slab_post_alloc_hook mm/slub.c:4121 [inline] slab_alloc_node mm/slub.c:4164 [inline] kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171 insert_tree net/netfilter/nf_conncount.c:372 [inline] count_tree net/netfilter/nf_conncount.c:450 [inline] nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521 connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72 __nft_match_eval net/netfilter/nft_compat.c:403 [inline] nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433 expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline] nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288 nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23 nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline] nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626 nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663 NF_HOOK_LIST include/linux/netfilter.h:350 [inline] ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633 ip_list_rcv+0x9ef/0xa40 net/ip ---truncated---

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f522229c5563b59b4…
	https://git.kernel.org/stable/c/2a154ce766b995494…
	https://git.kernel.org/stable/c/e8544a5a97bee3674…
	https://git.kernel.org/stable/c/a62a25c6ad58fae99…
	https://git.kernel.org/stable/c/fda50302a13701d47…
	https://git.kernel.org/stable/c/db1e0c0856821c59a…
	https://git.kernel.org/stable/c/2db5baaf047a7c8d6…
	https://git.kernel.org/stable/c/d653bfeb07ebb3499…

Impacted products

Vendor

Product

Version

Linux

Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < f522229c5563b59b4240261e406779bba6754159 (git)
Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < 2a154ce766b995494e88d8d117fa82cc6b73dd87 (git)
Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < e8544a5a97bee3674e7cd6bf0f3a4af517fa9146 (git)
Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < a62a25c6ad58fae997f48a0749afeda1c252ae51 (git)
Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < fda50302a13701d47fbe01e1739c7a51114144fb (git)
Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < db1e0c0856821c59a32ea3af79476bf20a6beeb2 (git)
Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < 2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc (git)
Affected: b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 , < d653bfeb07ebb3499c403404c21ac58a16531607 (git)
Affected: 75af3d78168e654a5cd8bbc4c774f97be836165f (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21959",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:15:56.023953Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:15:58.938Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:01.234Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conncount.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f522229c5563b59b4240261e406779bba6754159",
              "status": "affected",
              "version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
              "versionType": "git"
            },
            {
              "lessThan": "2a154ce766b995494e88d8d117fa82cc6b73dd87",
              "status": "affected",
              "version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
              "versionType": "git"
            },
            {
              "lessThan": "e8544a5a97bee3674e7cd6bf0f3a4af517fa9146",
              "status": "affected",
              "version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
              "versionType": "git"
            },
            {
              "lessThan": "a62a25c6ad58fae997f48a0749afeda1c252ae51",
              "status": "affected",
              "version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
              "versionType": "git"
            },
            {
              "lessThan": "fda50302a13701d47fbe01e1739c7a51114144fb",
              "status": "affected",
              "version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
              "versionType": "git"
            },
            {
              "lessThan": "db1e0c0856821c59a32ea3af79476bf20a6beeb2",
              "status": "affected",
              "version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
              "versionType": "git"
            },
            {
              "lessThan": "2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc",
              "status": "affected",
              "version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
              "versionType": "git"
            },
            {
              "lessThan": "d653bfeb07ebb3499c403404c21ac58a16531607",
              "status": "affected",
              "version": "b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "75af3d78168e654a5cd8bbc4c774f97be836165f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nf_conncount.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.92",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()\n\nSince commit b36e4523d4d5 (\"netfilter: nf_conncount: fix garbage\ncollection confirm race\"), `cpu` and `jiffies32` were introduced to\nthe struct nf_conncount_tuple.\n\nThe commit made nf_conncount_add() initialize `conn-\u003ecpu` and\n`conn-\u003ejiffies32` when allocating the struct.\nIn contrast, count_tree() was not changed to initialize them.\n\nBy commit 34848d5c896e (\"netfilter: nf_conncount: Split insert and\ntraversal\"), count_tree() was split and the relevant allocation\ncode now resides in insert_tree().\nInitialize `conn-\u003ecpu` and `conn-\u003ejiffies32` in insert_tree().\n\nBUG: KMSAN: uninit-value in find_or_evict net/netfilter/nf_conncount.c:117 [inline]\nBUG: KMSAN: uninit-value in __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n find_or_evict net/netfilter/nf_conncount.c:117 [inline]\n __nf_conncount_add+0xd9c/0x2850 net/netfilter/nf_conncount.c:143\n count_tree net/netfilter/nf_conncount.c:438 [inline]\n nf_conncount_count+0x82f/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ipv4/ip_input.c:669\n __netif_receive_skb_list_ptype net/core/dev.c:5936 [inline]\n __netif_receive_skb_list_core+0x15c5/0x1670 net/core/dev.c:5983\n __netif_receive_skb_list net/core/dev.c:6035 [inline]\n netif_receive_skb_list_internal+0x1085/0x1700 net/core/dev.c:6126\n netif_receive_skb_list+0x5a/0x460 net/core/dev.c:6178\n xdp_recv_frames net/bpf/test_run.c:280 [inline]\n xdp_test_run_batch net/bpf/test_run.c:361 [inline]\n bpf_test_run_xdp_live+0x2e86/0x3480 net/bpf/test_run.c:390\n bpf_prog_test_run_xdp+0xf1d/0x1ae0 net/bpf/test_run.c:1316\n bpf_prog_test_run+0x5e5/0xa30 kernel/bpf/syscall.c:4407\n __sys_bpf+0x6aa/0xd90 kernel/bpf/syscall.c:5813\n __do_sys_bpf kernel/bpf/syscall.c:5902 [inline]\n __se_sys_bpf kernel/bpf/syscall.c:5900 [inline]\n __ia32_sys_bpf+0xa0/0xe0 kernel/bpf/syscall.c:5900\n ia32_sys_call+0x394d/0x4180 arch/x86/include/generated/asm/syscalls_32.h:358\n do_syscall_32_irqs_on arch/x86/entry/common.c:165 [inline]\n __do_fast_syscall_32+0xb0/0x110 arch/x86/entry/common.c:387\n do_fast_syscall_32+0x38/0x80 arch/x86/entry/common.c:412\n do_SYSENTER_32+0x1f/0x30 arch/x86/entry/common.c:450\n entry_SYSENTER_compat_after_hwframe+0x84/0x8e\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4121 [inline]\n slab_alloc_node mm/slub.c:4164 [inline]\n kmem_cache_alloc_noprof+0x915/0xe10 mm/slub.c:4171\n insert_tree net/netfilter/nf_conncount.c:372 [inline]\n count_tree net/netfilter/nf_conncount.c:450 [inline]\n nf_conncount_count+0x1415/0x1e80 net/netfilter/nf_conncount.c:521\n connlimit_mt+0x7f6/0xbd0 net/netfilter/xt_connlimit.c:72\n __nft_match_eval net/netfilter/nft_compat.c:403 [inline]\n nft_match_eval+0x1a5/0x300 net/netfilter/nft_compat.c:433\n expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]\n nft_do_chain+0x426/0x2290 net/netfilter/nf_tables_core.c:288\n nft_do_chain_ipv4+0x1a5/0x230 net/netfilter/nft_chain_filter.c:23\n nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]\n nf_hook_slow+0xf4/0x400 net/netfilter/core.c:626\n nf_hook_slow_list+0x24d/0x860 net/netfilter/core.c:663\n NF_HOOK_LIST include/linux/netfilter.h:350 [inline]\n ip_sublist_rcv+0x17b7/0x17f0 net/ipv4/ip_input.c:633\n ip_list_rcv+0x9ef/0xa40 net/ip\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:49.497Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f522229c5563b59b4240261e406779bba6754159"
        },
        {
          "url": "https://git.kernel.org/stable/c/2a154ce766b995494e88d8d117fa82cc6b73dd87"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8544a5a97bee3674e7cd6bf0f3a4af517fa9146"
        },
        {
          "url": "https://git.kernel.org/stable/c/a62a25c6ad58fae997f48a0749afeda1c252ae51"
        },
        {
          "url": "https://git.kernel.org/stable/c/fda50302a13701d47fbe01e1739c7a51114144fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/db1e0c0856821c59a32ea3af79476bf20a6beeb2"
        },
        {
          "url": "https://git.kernel.org/stable/c/2db5baaf047a7c8d6ed5e2cc657b7854e155b7fc"
        },
        {
          "url": "https://git.kernel.org/stable/c/d653bfeb07ebb3499c403404c21ac58a16531607"
        }
      ],
      "title": "netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21959",
    "datePublished": "2025-04-01T15:46:57.775Z",
    "dateReserved": "2024-12-29T08:45:45.793Z",
    "dateUpdated": "2025-11-03T19:40:01.234Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-53197 (GCVE-0-2024-53197)

Vulnerability from cvelistv5 – Published: 2024-12-27 13:49 – Updated: 2025-11-03 20:47

Title

ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0b4ea4bfe16566b84…
	https://git.kernel.org/stable/c/9b8460a2a7ce478e0…
	https://git.kernel.org/stable/c/62dc01c83fa71e104…
	https://git.kernel.org/stable/c/9887d859cd6072743…
	https://git.kernel.org/stable/c/920a369a9f014f10e…
	https://git.kernel.org/stable/c/b8f8b81dabe52b413…
	https://git.kernel.org/stable/c/379d3b9799d9da953…
	https://git.kernel.org/stable/c/b521b53ac6eb04e41…
	https://git.kernel.org/stable/c/b909df18ce2a998af…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0b4ea4bfe16566b84645ded1403756a2dc4e0f19 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9b8460a2a7ce478e0b625af7c56d444dc24190f7 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 62dc01c83fa71e10446ee4c31e0e3d5d1291e865 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 9887d859cd60727432a01564e8f91302d361b72b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 920a369a9f014f10ec282fd298d0666129379f1b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b8f8b81dabe52b413fe9e062e8a852c48dd0680d (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 379d3b9799d9da953391e973b934764f01e03960 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b521b53ac6eb04e41c03f46f7fe452e4d8e9bcca (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b909df18ce2a998afef81d58bbd1a05dc0788c40 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 4.19.325 , ≤ 4.19.* (semver)
Unaffected: 5.4.287 , ≤ 5.4.* (semver)
Unaffected: 5.10.231 , ≤ 5.10.* (semver)
Unaffected: 5.15.174 , ≤ 5.15.* (semver)
Unaffected: 6.1.120 , ≤ 6.1.* (semver)
Unaffected: 6.6.64 , ≤ 6.6.* (semver)
Unaffected: 6.11.11 , ≤ 6.11.* (semver)
Unaffected: 6.12.2 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-53197",
                "options": [
                  {
                    "Exploitation": "active"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-09T18:17:11.337680Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          },
          {
            "other": {
              "content": {
                "dateAdded": "2025-04-09",
                "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53197"
              },
              "type": "kev"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-21T22:55:33.453Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "government-resource"
            ],
            "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-53197"
          }
        ],
        "timeline": [
          {
            "lang": "en",
            "time": "2025-04-09T00:00:00+00:00",
            "value": "CVE-2024-53197 added to CISA KEV"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:47:29.910Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/quirks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0b4ea4bfe16566b84645ded1403756a2dc4e0f19",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9b8460a2a7ce478e0b625af7c56d444dc24190f7",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "62dc01c83fa71e10446ee4c31e0e3d5d1291e865",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "9887d859cd60727432a01564e8f91302d361b72b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "920a369a9f014f10ec282fd298d0666129379f1b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b8f8b81dabe52b413fe9e062e8a852c48dd0680d",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "379d3b9799d9da953391e973b934764f01e03960",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b521b53ac6eb04e41c03f46f7fe452e4d8e9bcca",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b909df18ce2a998afef81d58bbd1a05dc0788c40",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/usb/quirks.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.325",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.287",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.231",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.174",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.64",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.325",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.287",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.231",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.174",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.120",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.64",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.11",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.2",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices\n\nA bogus device can provide a bNumConfigurations value that exceeds the\ninitial value used in usb_get_configuration for allocating dev-\u003econfig.\n\nThis can lead to out-of-bounds accesses later, e.g. in\nusb_destroy_configuration."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:55:32.524Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0b4ea4bfe16566b84645ded1403756a2dc4e0f19"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b8460a2a7ce478e0b625af7c56d444dc24190f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/62dc01c83fa71e10446ee4c31e0e3d5d1291e865"
        },
        {
          "url": "https://git.kernel.org/stable/c/9887d859cd60727432a01564e8f91302d361b72b"
        },
        {
          "url": "https://git.kernel.org/stable/c/920a369a9f014f10ec282fd298d0666129379f1b"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8f8b81dabe52b413fe9e062e8a852c48dd0680d"
        },
        {
          "url": "https://git.kernel.org/stable/c/379d3b9799d9da953391e973b934764f01e03960"
        },
        {
          "url": "https://git.kernel.org/stable/c/b521b53ac6eb04e41c03f46f7fe452e4d8e9bcca"
        },
        {
          "url": "https://git.kernel.org/stable/c/b909df18ce2a998afef81d58bbd1a05dc0788c40"
        }
      ],
      "title": "ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-53197",
    "datePublished": "2024-12-27T13:49:39.260Z",
    "dateReserved": "2024-11-19T17:17:25.015Z",
    "dateUpdated": "2025-11-03T20:47:29.910Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57986 (GCVE-0-2024-57986)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:33

Title

HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections A report in 2019 by the syzbot fuzzer was found to be connected to two errors in the HID core associated with Resolution Multipliers. One of the errors was fixed by commit ea427a222d8b ("HID: core: Fix deadloop in hid_apply_multiplier."), but the other has not been fixed. This error arises because hid_apply_multipler() assumes that every Resolution Multiplier control is contained in a Logical Collection, i.e., there's no way the routine can ever set multiplier_collection to NULL. This is in spite of the fact that the function starts with a big comment saying: * "The Resolution Multiplier control must be contained in the same * Logical Collection as the control(s) to which it is to be applied. ... * If no Logical Collection is * defined, the Resolution Multiplier is associated with all * controls in the report." * HID Usage Table, v1.12, Section 4.3.1, p30 * * Thus, search from the current collection upwards until we find a * logical collection... The comment and the code overlook the possibility that none of the collections found may be a Logical Collection. The fix is to set the multiplier_collection pointer to NULL if the collection found isn't a Logical Collection.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/3a002e4029230d9a6…
	https://git.kernel.org/stable/c/05dd7d10675b540b8…
	https://git.kernel.org/stable/c/a32ea3f982b389ea4…
	https://git.kernel.org/stable/c/bebf542e8d7c44a18…
	https://git.kernel.org/stable/c/ed3d3883476423f33…
	https://git.kernel.org/stable/c/ebaeca33d32c8bdb7…
	https://git.kernel.org/stable/c/a5498f1f864ea26f4…
	https://git.kernel.org/stable/c/64f2657b579343cf9…

Impacted products

Vendor

Product

Version

Linux

Affected: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc , < 3a002e4029230d9a6be89f869b2328b258612f5c (git)
Affected: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc , < 05dd7d10675b540b8b7b31035c0a8abb6e6f3b88 (git)
Affected: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc , < a32ea3f982b389ea43a41ce77b6fb70d74006d9b (git)
Affected: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc , < bebf542e8d7c44a18a95f306b1b5dc160c823506 (git)
Affected: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc , < ed3d3883476423f337aac0f22c521819b3f1e970 (git)
Affected: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc , < ebaeca33d32c8bdb705a8c88267737a456f354b1 (git)
Affected: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc , < a5498f1f864ea26f4c613c77f54409c776a95a90 (git)
Affected: 5a4abb36f312cf83206b1b7d1308ba47cba0b3cc , < 64f2657b579343cf923aa933f08074e6258eb07b (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:33:04.819Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "3a002e4029230d9a6be89f869b2328b258612f5c",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "05dd7d10675b540b8b7b31035c0a8abb6e6f3b88",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "a32ea3f982b389ea43a41ce77b6fb70d74006d9b",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "bebf542e8d7c44a18a95f306b1b5dc160c823506",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "ed3d3883476423f337aac0f22c521819b3f1e970",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "ebaeca33d32c8bdb705a8c88267737a456f354b1",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "a5498f1f864ea26f4c613c77f54409c776a95a90",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            },
            {
              "lessThan": "64f2657b579343cf923aa933f08074e6258eb07b",
              "status": "affected",
              "version": "5a4abb36f312cf83206b1b7d1308ba47cba0b3cc",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/hid-core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: core: Fix assumption that Resolution Multipliers must be in Logical Collections\n\nA report in 2019 by the syzbot fuzzer was found to be connected to two\nerrors in the HID core associated with Resolution Multipliers.  One of\nthe errors was fixed by commit ea427a222d8b (\"HID: core: Fix deadloop\nin hid_apply_multiplier.\"), but the other has not been fixed.\n\nThis error arises because hid_apply_multipler() assumes that every\nResolution Multiplier control is contained in a Logical Collection,\ni.e., there\u0027s no way the routine can ever set multiplier_collection to\nNULL.  This is in spite of the fact that the function starts with a\nbig comment saying:\n\n\t * \"The Resolution Multiplier control must be contained in the same\n\t * Logical Collection as the control(s) to which it is to be applied.\n\t   ...\n\t *  If no Logical Collection is\n\t * defined, the Resolution Multiplier is associated with all\n\t * controls in the report.\"\n\t * HID Usage Table, v1.12, Section 4.3.1, p30\n\t *\n\t * Thus, search from the current collection upwards until we find a\n\t * logical collection...\n\nThe comment and the code overlook the possibility that none of the\ncollections found may be a Logical Collection.\n\nThe fix is to set the multiplier_collection pointer to NULL if the\ncollection found isn\u0027t a Logical Collection."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:07:45.914Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/3a002e4029230d9a6be89f869b2328b258612f5c"
        },
        {
          "url": "https://git.kernel.org/stable/c/05dd7d10675b540b8b7b31035c0a8abb6e6f3b88"
        },
        {
          "url": "https://git.kernel.org/stable/c/a32ea3f982b389ea43a41ce77b6fb70d74006d9b"
        },
        {
          "url": "https://git.kernel.org/stable/c/bebf542e8d7c44a18a95f306b1b5dc160c823506"
        },
        {
          "url": "https://git.kernel.org/stable/c/ed3d3883476423f337aac0f22c521819b3f1e970"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebaeca33d32c8bdb705a8c88267737a456f354b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/a5498f1f864ea26f4c613c77f54409c776a95a90"
        },
        {
          "url": "https://git.kernel.org/stable/c/64f2657b579343cf923aa933f08074e6258eb07b"
        }
      ],
      "title": "HID: core: Fix assumption that Resolution Multipliers must be in Logical Collections",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57986",
    "datePublished": "2025-02-27T02:07:10.621Z",
    "dateReserved": "2025-02-27T02:04:28.913Z",
    "dateUpdated": "2025-11-03T19:33:04.819Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37859 (GCVE-0-2025-37859)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:42 – Updated: 2025-11-03 19:56

Title

page_pool: avoid infinite loop to schedule delayed worker

Summary

In the Linux kernel, the following vulnerability has been resolved: page_pool: avoid infinite loop to schedule delayed worker We noticed the kworker in page_pool_release_retry() was waken up repeatedly and infinitely in production because of the buggy driver causing the inflight less than 0 and warning us in page_pool_inflight()[1]. Since the inflight value goes negative, it means we should not expect the whole page_pool to get back to work normally. This patch mitigates the adverse effect by not rescheduling the kworker when detecting the inflight negative in page_pool_release_retry(). [1] [Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------ [Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages ... [Mon Feb 10 20:36:11 2025] Call Trace: [Mon Feb 10 20:36:11 2025] page_pool_release_retry+0x23/0x70 [Mon Feb 10 20:36:11 2025] process_one_work+0x1b1/0x370 [Mon Feb 10 20:36:11 2025] worker_thread+0x37/0x3a0 [Mon Feb 10 20:36:11 2025] kthread+0x11a/0x140 [Mon Feb 10 20:36:11 2025] ? process_one_work+0x370/0x370 [Mon Feb 10 20:36:11 2025] ? __kthread_cancel_work+0x40/0x40 [Mon Feb 10 20:36:11 2025] ret_from_fork+0x35/0x40 [Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]--- Note: before this patch, the above calltrace would flood the dmesg due to repeated reschedule of release_dw kworker.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c3c7c57017ce1d4b2…
	https://git.kernel.org/stable/c/9f71db4fb82deb889…
	https://git.kernel.org/stable/c/91522aba56e9fcdf6…
	https://git.kernel.org/stable/c/90e089a64504982f8…
	https://git.kernel.org/stable/c/95f17738b86fd1989…
	https://git.kernel.org/stable/c/7204335d1991c23fc…
	https://git.kernel.org/stable/c/e74e5aa33228c5e2c…
	https://git.kernel.org/stable/c/738d1812ec2e395e9…
	https://git.kernel.org/stable/c/43130d02baa137033…

Impacted products

Vendor

Product

Version

Linux

Affected: 05f646cb2174d1a4e032b60b99097f5c4b522616 , < c3c7c57017ce1d4b2d3788c1fc59e7e39026e158 (git)
Affected: c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3 , < 9f71db4fb82deb889e0bac4a51b34daea7d506a3 (git)
Affected: c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3 , < 91522aba56e9fcdf64da25ffef9b27f8fad48e0f (git)
Affected: c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3 , < 90e089a64504982f8d62f223027cb9f903781f78 (git)
Affected: c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3 , < 95f17738b86fd198924d874a5639bcdc49c7e5b8 (git)
Affected: c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3 , < 7204335d1991c23fc615ab76f31f175748a578e1 (git)
Affected: c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3 , < e74e5aa33228c5e2cb4fc80ad103541a7b7805ec (git)
Affected: c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3 , < 738d1812ec2e395e953258aea912ddd867d11a13 (git)
Affected: c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3 , < 43130d02baa137033c25297aaae95fd0edc41654 (git)
Affected: bf22306d92ca59c59dc4aa3bab14768948193d56 (git)

Linux

Affected: 5.5
Unaffected: 0 , < 5.5 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:38.707Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/page_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c3c7c57017ce1d4b2d3788c1fc59e7e39026e158",
              "status": "affected",
              "version": "05f646cb2174d1a4e032b60b99097f5c4b522616",
              "versionType": "git"
            },
            {
              "lessThan": "9f71db4fb82deb889e0bac4a51b34daea7d506a3",
              "status": "affected",
              "version": "c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3",
              "versionType": "git"
            },
            {
              "lessThan": "91522aba56e9fcdf64da25ffef9b27f8fad48e0f",
              "status": "affected",
              "version": "c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3",
              "versionType": "git"
            },
            {
              "lessThan": "90e089a64504982f8d62f223027cb9f903781f78",
              "status": "affected",
              "version": "c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3",
              "versionType": "git"
            },
            {
              "lessThan": "95f17738b86fd198924d874a5639bcdc49c7e5b8",
              "status": "affected",
              "version": "c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3",
              "versionType": "git"
            },
            {
              "lessThan": "7204335d1991c23fc615ab76f31f175748a578e1",
              "status": "affected",
              "version": "c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3",
              "versionType": "git"
            },
            {
              "lessThan": "e74e5aa33228c5e2cb4fc80ad103541a7b7805ec",
              "status": "affected",
              "version": "c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3",
              "versionType": "git"
            },
            {
              "lessThan": "738d1812ec2e395e953258aea912ddd867d11a13",
              "status": "affected",
              "version": "c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3",
              "versionType": "git"
            },
            {
              "lessThan": "43130d02baa137033c25297aaae95fd0edc41654",
              "status": "affected",
              "version": "c3f812cea0d7006469d1cf33a4a9f0a12bb4b3a3",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "bf22306d92ca59c59dc4aa3bab14768948193d56",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/page_pool.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.5"
            },
            {
              "lessThan": "5.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "5.4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.3.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npage_pool: avoid infinite loop to schedule delayed worker\n\nWe noticed the kworker in page_pool_release_retry() was waken\nup repeatedly and infinitely in production because of the\nbuggy driver causing the inflight less than 0 and warning\nus in page_pool_inflight()[1].\n\nSince the inflight value goes negative, it means we should\nnot expect the whole page_pool to get back to work normally.\n\nThis patch mitigates the adverse effect by not rescheduling\nthe kworker when detecting the inflight negative in\npage_pool_release_retry().\n\n[1]\n[Mon Feb 10 20:36:11 2025] ------------[ cut here ]------------\n[Mon Feb 10 20:36:11 2025] Negative(-51446) inflight packet-pages\n...\n[Mon Feb 10 20:36:11 2025] Call Trace:\n[Mon Feb 10 20:36:11 2025]  page_pool_release_retry+0x23/0x70\n[Mon Feb 10 20:36:11 2025]  process_one_work+0x1b1/0x370\n[Mon Feb 10 20:36:11 2025]  worker_thread+0x37/0x3a0\n[Mon Feb 10 20:36:11 2025]  kthread+0x11a/0x140\n[Mon Feb 10 20:36:11 2025]  ? process_one_work+0x370/0x370\n[Mon Feb 10 20:36:11 2025]  ? __kthread_cancel_work+0x40/0x40\n[Mon Feb 10 20:36:11 2025]  ret_from_fork+0x35/0x40\n[Mon Feb 10 20:36:11 2025] ---[ end trace ebffe800f33e7e34 ]---\nNote: before this patch, the above calltrace would flood the\ndmesg due to repeated reschedule of release_dw kworker."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-03T12:59:28.664Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c3c7c57017ce1d4b2d3788c1fc59e7e39026e158"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f71db4fb82deb889e0bac4a51b34daea7d506a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/91522aba56e9fcdf64da25ffef9b27f8fad48e0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/90e089a64504982f8d62f223027cb9f903781f78"
        },
        {
          "url": "https://git.kernel.org/stable/c/95f17738b86fd198924d874a5639bcdc49c7e5b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/7204335d1991c23fc615ab76f31f175748a578e1"
        },
        {
          "url": "https://git.kernel.org/stable/c/e74e5aa33228c5e2cb4fc80ad103541a7b7805ec"
        },
        {
          "url": "https://git.kernel.org/stable/c/738d1812ec2e395e953258aea912ddd867d11a13"
        },
        {
          "url": "https://git.kernel.org/stable/c/43130d02baa137033c25297aaae95fd0edc41654"
        }
      ],
      "title": "page_pool: avoid infinite loop to schedule delayed worker",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37859",
    "datePublished": "2025-05-09T06:42:06.596Z",
    "dateReserved": "2025-04-16T04:51:23.957Z",
    "dateUpdated": "2025-11-03T19:56:38.707Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-42230 (GCVE-0-2024-42230)

Vulnerability from cvelistv5 – Published: 2024-07-30 07:47 – Updated: 2025-11-03 22:02

Title

powerpc/pseries: Fix scv instruction crash with kexec

Summary

In the Linux kernel, the following vulnerability has been resolved: powerpc/pseries: Fix scv instruction crash with kexec kexec on pseries disables AIL (reloc_on_exc), required for scv instruction support, before other CPUs have been shut down. This means they can execute scv instructions after AIL is disabled, which causes an interrupt at an unexpected entry location that crashes the kernel. Change the kexec sequence to disable AIL after other CPUs have been brought down. As a refresher, the real-mode scv interrupt vector is 0x17000, and the fixed-location head code probably couldn't easily deal with implementing such high addresses so it was just decided not to support that interrupt at all.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c550679d604798d9f…
	https://git.kernel.org/stable/c/d10e3c39001e9194b…
	https://git.kernel.org/stable/c/8c6506616386ce37e…
	https://git.kernel.org/stable/c/21a741eb75f80397e…

Impacted products

Vendor

Product

Version

Linux

Affected: 7fa95f9adaee7e5cbb195d3359741120829e488b , < c550679d604798d9fed8a5b2bb5693448a25407c (git)
Affected: 7fa95f9adaee7e5cbb195d3359741120829e488b , < d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5 (git)
Affected: 7fa95f9adaee7e5cbb195d3359741120829e488b , < 8c6506616386ce37e59b2745fc481c6713fae4f3 (git)
Affected: 7fa95f9adaee7e5cbb195d3359741120829e488b , < 21a741eb75f80397e5f7d3739e24d7d75e619011 (git)

Linux

Affected: 5.9
Unaffected: 0 , < 5.9 (semver)
Unaffected: 6.1.98 , ≤ 6.1.* (semver)
Unaffected: 6.6.39 , ≤ 6.6.* (semver)
Unaffected: 6.9.9 , ≤ 6.9.* (semver)
Unaffected: 6.10 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:02:34.842Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/c550679d604798d9fed8a5b2bb5693448a25407c"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/8c6506616386ce37e59b2745fc481c6713fae4f3"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/21a741eb75f80397e5f7d3739e24d7d75e619011"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-42230",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-09-10T16:14:24.948809Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-09-11T17:34:32.851Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kexec/core_64.c",
            "arch/powerpc/platforms/pseries/kexec.c",
            "arch/powerpc/platforms/pseries/pseries.h",
            "arch/powerpc/platforms/pseries/setup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c550679d604798d9fed8a5b2bb5693448a25407c",
              "status": "affected",
              "version": "7fa95f9adaee7e5cbb195d3359741120829e488b",
              "versionType": "git"
            },
            {
              "lessThan": "d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5",
              "status": "affected",
              "version": "7fa95f9adaee7e5cbb195d3359741120829e488b",
              "versionType": "git"
            },
            {
              "lessThan": "8c6506616386ce37e59b2745fc481c6713fae4f3",
              "status": "affected",
              "version": "7fa95f9adaee7e5cbb195d3359741120829e488b",
              "versionType": "git"
            },
            {
              "lessThan": "21a741eb75f80397e5f7d3739e24d7d75e619011",
              "status": "affected",
              "version": "7fa95f9adaee7e5cbb195d3359741120829e488b",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/powerpc/kexec/core_64.c",
            "arch/powerpc/platforms/pseries/kexec.c",
            "arch/powerpc/platforms/pseries/pseries.h",
            "arch/powerpc/platforms/pseries/setup.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.9"
            },
            {
              "lessThan": "5.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.98",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.39",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.9.*",
              "status": "unaffected",
              "version": "6.9.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.10",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.98",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.39",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9.9",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10",
                  "versionStartIncluding": "5.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\npowerpc/pseries: Fix scv instruction crash with kexec\n\nkexec on pseries disables AIL (reloc_on_exc), required for scv\ninstruction support, before other CPUs have been shut down. This means\nthey can execute scv instructions after AIL is disabled, which causes an\ninterrupt at an unexpected entry location that crashes the kernel.\n\nChange the kexec sequence to disable AIL after other CPUs have been\nbrought down.\n\nAs a refresher, the real-mode scv interrupt vector is 0x17000, and the\nfixed-location head code probably couldn\u0027t easily deal with implementing\nsuch high addresses so it was just decided not to support that interrupt\nat all."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:24:38.574Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c550679d604798d9fed8a5b2bb5693448a25407c"
        },
        {
          "url": "https://git.kernel.org/stable/c/d10e3c39001e9194b9a1bfd6979bd3fa19dccdc5"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c6506616386ce37e59b2745fc481c6713fae4f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/21a741eb75f80397e5f7d3739e24d7d75e619011"
        }
      ],
      "title": "powerpc/pseries: Fix scv instruction crash with kexec",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-42230",
    "datePublished": "2024-07-30T07:47:10.703Z",
    "dateReserved": "2024-07-30T07:40:12.250Z",
    "dateUpdated": "2025-11-03T22:02:34.842Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-57924 (GCVE-0-2024-57924)

Vulnerability from cvelistv5 – Published: 2025-01-19 11:52 – Updated: 2026-01-05 10:56

Title

fs: relax assertions on failure to encode file handles

Summary

In the Linux kernel, the following vulnerability has been resolved: fs: relax assertions on failure to encode file handles Encoding file handles is usually performed by a filesystem >encode_fh() method that may fail for various reasons. The legacy users of exportfs_encode_fh(), namely, nfsd and name_to_handle_at(2) syscall are ready to cope with the possibility of failure to encode a file handle. There are a few other users of exportfs_encode_{fh,fid}() that currently have a WARN_ON() assertion when ->encode_fh() fails. Relax those assertions because they are wrong. The second linked bug report states commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles") in v6.6 as the regressing commit, but this is not accurate. The aforementioned commit only increases the chances of the assertion and allows triggering the assertion with the reproducer using overlayfs, inotify and drop_caches. Triggering this assertion was always possible with other filesystems and other reasons of ->encode_fh() failures and more particularly, it was also possible with the exact same reproducer using overlayfs that is mounted with options index=on,nfs_export=on also on kernels < v6.6. Therefore, I am not listing the aforementioned commit as a Fixes commit. Backport hint: this patch will have a trivial conflict applying to v6.6.y, and other trivial conflicts applying to stable kernels < v6.6.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/73697928c806fe468…
	https://git.kernel.org/stable/c/f47c834a9131ae64b…
	https://git.kernel.org/stable/c/adcde2872f8fc399b…
	https://git.kernel.org/stable/c/974e3fe0ac61de850…

Impacted products

Vendor

Product

Version

Linux

Affected: be77196b809cdce8603a5aadd5e3cfabd3cbef96 , < 73697928c806fe4689939722184a86fc1c1957b4 (git)
Affected: be77196b809cdce8603a5aadd5e3cfabd3cbef96 , < f47c834a9131ae64bee3c462f4e610c67b0a000f (git)
Affected: be77196b809cdce8603a5aadd5e3cfabd3cbef96 , < adcde2872f8fc399b249758ae1990dcd53b694ea (git)
Affected: be77196b809cdce8603a5aadd5e3cfabd3cbef96 , < 974e3fe0ac61de85015bbe5a4990cf4127b304b2 (git)

Linux

Affected: 3.8
Unaffected: 0 , < 3.8 (semver)
Unaffected: 6.1.151 , ≤ 6.1.* (semver)
Unaffected: 6.6.74 , ≤ 6.6.* (semver)
Unaffected: 6.12.10 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:31:30.542Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/notify/fdinfo.c",
            "fs/overlayfs/copy_up.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "73697928c806fe4689939722184a86fc1c1957b4",
              "status": "affected",
              "version": "be77196b809cdce8603a5aadd5e3cfabd3cbef96",
              "versionType": "git"
            },
            {
              "lessThan": "f47c834a9131ae64bee3c462f4e610c67b0a000f",
              "status": "affected",
              "version": "be77196b809cdce8603a5aadd5e3cfabd3cbef96",
              "versionType": "git"
            },
            {
              "lessThan": "adcde2872f8fc399b249758ae1990dcd53b694ea",
              "status": "affected",
              "version": "be77196b809cdce8603a5aadd5e3cfabd3cbef96",
              "versionType": "git"
            },
            {
              "lessThan": "974e3fe0ac61de85015bbe5a4990cf4127b304b2",
              "status": "affected",
              "version": "be77196b809cdce8603a5aadd5e3cfabd3cbef96",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/notify/fdinfo.c",
            "fs/overlayfs/copy_up.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.8"
            },
            {
              "lessThan": "3.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.151",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.151",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.10",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "3.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfs: relax assertions on failure to encode file handles\n\nEncoding file handles is usually performed by a filesystem \u003eencode_fh()\nmethod that may fail for various reasons.\n\nThe legacy users of exportfs_encode_fh(), namely, nfsd and\nname_to_handle_at(2) syscall are ready to cope with the possibility\nof failure to encode a file handle.\n\nThere are a few other users of exportfs_encode_{fh,fid}() that\ncurrently have a WARN_ON() assertion when -\u003eencode_fh() fails.\nRelax those assertions because they are wrong.\n\nThe second linked bug report states commit 16aac5ad1fa9 (\"ovl: support\nencoding non-decodable file handles\") in v6.6 as the regressing commit,\nbut this is not accurate.\n\nThe aforementioned commit only increases the chances of the assertion\nand allows triggering the assertion with the reproducer using overlayfs,\ninotify and drop_caches.\n\nTriggering this assertion was always possible with other filesystems and\nother reasons of -\u003eencode_fh() failures and more particularly, it was\nalso possible with the exact same reproducer using overlayfs that is\nmounted with options index=on,nfs_export=on also on kernels \u003c v6.6.\nTherefore, I am not listing the aforementioned commit as a Fixes commit.\n\nBackport hint: this patch will have a trivial conflict applying to\nv6.6.y, and other trivial conflicts applying to stable kernels \u003c v6.6."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:41.396Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/73697928c806fe4689939722184a86fc1c1957b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/f47c834a9131ae64bee3c462f4e610c67b0a000f"
        },
        {
          "url": "https://git.kernel.org/stable/c/adcde2872f8fc399b249758ae1990dcd53b694ea"
        },
        {
          "url": "https://git.kernel.org/stable/c/974e3fe0ac61de85015bbe5a4990cf4127b304b2"
        }
      ],
      "title": "fs: relax assertions on failure to encode file handles",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57924",
    "datePublished": "2025-01-19T11:52:42.458Z",
    "dateReserved": "2025-01-19T11:50:08.376Z",
    "dateUpdated": "2026-01-05T10:56:41.396Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-50157 (GCVE-0-2024-50157)

Vulnerability from cvelistv5 – Published: 2024-11-07 09:31 – Updated: 2025-05-04 09:47

Title

RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop Driver waits indefinitely for the fifo occupancy to go below a threshold as soon as the pacing interrupt is received. This can cause soft lockup on one of the processors, if the rate of DB is very high. Add a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th if the loop is taking more time. Pacing will be continuing until the occupancy is below the threshold. This is ensured by the checks in bnxt_re_pacing_timer_exp and further scheduling the work for pacing based on the fifo occupancy.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7998e7efd1d557af1…
	https://git.kernel.org/stable/c/2fb6b2e82413e401b…
	https://git.kernel.org/stable/c/8be3e5b0c96beeefe…

Impacted products

Vendor

Product

Version

Linux

Affected: 2ad4e6303a6d7518632739eaf67821a3553db1bd , < 7998e7efd1d557af118ac96f48ebc569b929b555 (git)
Affected: 2ad4e6303a6d7518632739eaf67821a3553db1bd , < 2fb6b2e82413e401b72dfeacd7a60416fcfc5b41 (git)
Affected: 2ad4e6303a6d7518632739eaf67821a3553db1bd , < 8be3e5b0c96beeefe9d5486b96575d104d3e7d17 (git)

Linux

Affected: 6.6
Unaffected: 0 , < 6.6 (semver)
Unaffected: 6.6.75 , ≤ 6.6.* (semver)
Unaffected: 6.11.6 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/bnxt_re/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7998e7efd1d557af118ac96f48ebc569b929b555",
              "status": "affected",
              "version": "2ad4e6303a6d7518632739eaf67821a3553db1bd",
              "versionType": "git"
            },
            {
              "lessThan": "2fb6b2e82413e401b72dfeacd7a60416fcfc5b41",
              "status": "affected",
              "version": "2ad4e6303a6d7518632739eaf67821a3553db1bd",
              "versionType": "git"
            },
            {
              "lessThan": "8be3e5b0c96beeefe9d5486b96575d104d3e7d17",
              "status": "affected",
              "version": "2ad4e6303a6d7518632739eaf67821a3553db1bd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/hw/bnxt_re/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.6"
            },
            {
              "lessThan": "6.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.75",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.75",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.6",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "6.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop\n\nDriver waits indefinitely for the fifo occupancy to go below a threshold\nas soon as the pacing interrupt is received. This can cause soft lockup on\none of the processors, if the rate of DB is very high.\n\nAdd a loop count for FPGA and exit the __wait_for_fifo_occupancy_below_th\nif the loop is taking more time. Pacing will be continuing until the\noccupancy is below the threshold. This is ensured by the checks in\nbnxt_re_pacing_timer_exp and further scheduling the work for pacing based\non the fifo occupancy."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:47:30.233Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7998e7efd1d557af118ac96f48ebc569b929b555"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fb6b2e82413e401b72dfeacd7a60416fcfc5b41"
        },
        {
          "url": "https://git.kernel.org/stable/c/8be3e5b0c96beeefe9d5486b96575d104d3e7d17"
        }
      ],
      "title": "RDMA/bnxt_re: Avoid CPU lockups due fifo occupancy check loop",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-50157",
    "datePublished": "2024-11-07T09:31:34.355Z",
    "dateReserved": "2024-10-21T19:36:19.960Z",
    "dateUpdated": "2025-05-04T09:47:30.233Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22126 (GCVE-0-2025-22126)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-11-03 19:42

Title

md: fix mddev uaf while iterating all_mddevs list

Summary

In the Linux kernel, the following vulnerability has been resolved: md: fix mddev uaf while iterating all_mddevs list While iterating all_mddevs list from md_notify_reboot() and md_exit(), list_for_each_entry_safe is used, and this can race with deletint the next mddev, causing UAF: t1: spin_lock //list_for_each_entry_safe(mddev, n, ...) mddev_get(mddev1) // assume mddev2 is the next entry spin_unlock t2: //remove mddev2 ... mddev_free spin_lock list_del spin_unlock kfree(mddev2) mddev_put(mddev1) spin_lock //continue dereference mddev2->all_mddevs The old helper for_each_mddev() actually grab the reference of mddev2 while holding the lock, to prevent from being freed. This problem can be fixed the same way, however, the code will be complex. Hence switch to use list_for_each_entry, in this case mddev_put() can free the mddev1 and it's not safe as well. Refer to md_seq_show(), also factor out a helper mddev_put_locked() to fix this problem.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ca9f84de76723b358…
	https://git.kernel.org/stable/c/d69a23d8e925f8052…
	https://git.kernel.org/stable/c/e2a9f73ee408a460f…
	https://git.kernel.org/stable/c/5462544ccbad3fc93…
	https://git.kernel.org/stable/c/8542870237c3a48ff…

Impacted products

Vendor

Product

Version

Linux

Affected: f26514342255855f4ca3c0a92cb1cdea01c33004 , < ca9f84de76723b358dfc0606668efdca54afc2e5 (git)
Affected: f26514342255855f4ca3c0a92cb1cdea01c33004 , < d69a23d8e925f8052d657652a6875ec2712c7e33 (git)
Affected: f26514342255855f4ca3c0a92cb1cdea01c33004 , < e2a9f73ee408a460f4c9dfe03b4741d6b11652b8 (git)
Affected: f26514342255855f4ca3c0a92cb1cdea01c33004 , < 5462544ccbad3fc938a71b01fa5bd3a0dc2b750a (git)
Affected: f26514342255855f4ca3c0a92cb1cdea01c33004 , < 8542870237c3a48ff049b6c5df5f50c8728284fa (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:14.519Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ca9f84de76723b358dfc0606668efdca54afc2e5",
              "status": "affected",
              "version": "f26514342255855f4ca3c0a92cb1cdea01c33004",
              "versionType": "git"
            },
            {
              "lessThan": "d69a23d8e925f8052d657652a6875ec2712c7e33",
              "status": "affected",
              "version": "f26514342255855f4ca3c0a92cb1cdea01c33004",
              "versionType": "git"
            },
            {
              "lessThan": "e2a9f73ee408a460f4c9dfe03b4741d6b11652b8",
              "status": "affected",
              "version": "f26514342255855f4ca3c0a92cb1cdea01c33004",
              "versionType": "git"
            },
            {
              "lessThan": "5462544ccbad3fc938a71b01fa5bd3a0dc2b750a",
              "status": "affected",
              "version": "f26514342255855f4ca3c0a92cb1cdea01c33004",
              "versionType": "git"
            },
            {
              "lessThan": "8542870237c3a48ff049b6c5df5f50c8728284fa",
              "status": "affected",
              "version": "f26514342255855f4ca3c0a92cb1cdea01c33004",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/md.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmd: fix mddev uaf while iterating all_mddevs list\n\nWhile iterating all_mddevs list from md_notify_reboot() and md_exit(),\nlist_for_each_entry_safe is used, and this can race with deletint the\nnext mddev, causing UAF:\n\nt1:\nspin_lock\n//list_for_each_entry_safe(mddev, n, ...)\n mddev_get(mddev1)\n // assume mddev2 is the next entry\n spin_unlock\n            t2:\n            //remove mddev2\n            ...\n            mddev_free\n            spin_lock\n            list_del\n            spin_unlock\n            kfree(mddev2)\n mddev_put(mddev1)\n spin_lock\n //continue dereference mddev2-\u003eall_mddevs\n\nThe old helper for_each_mddev() actually grab the reference of mddev2\nwhile holding the lock, to prevent from being freed. This problem can be\nfixed the same way, however, the code will be complex.\n\nHence switch to use list_for_each_entry, in this case mddev_put() can free\nthe mddev1 and it\u0027s not safe as well. Refer to md_seq_show(), also factor\nout a helper mddev_put_locked() to fix this problem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:02.408Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ca9f84de76723b358dfc0606668efdca54afc2e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/d69a23d8e925f8052d657652a6875ec2712c7e33"
        },
        {
          "url": "https://git.kernel.org/stable/c/e2a9f73ee408a460f4c9dfe03b4741d6b11652b8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5462544ccbad3fc938a71b01fa5bd3a0dc2b750a"
        },
        {
          "url": "https://git.kernel.org/stable/c/8542870237c3a48ff049b6c5df5f50c8728284fa"
        }
      ],
      "title": "md: fix mddev uaf while iterating all_mddevs list",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22126",
    "datePublished": "2025-04-16T14:13:09.399Z",
    "dateReserved": "2024-12-29T08:45:45.823Z",
    "dateUpdated": "2025-11-03T19:42:14.519Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37866 (GCVE-0-2025-37866)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:43 – Updated: 2025-05-26 05:22

Title

mlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show()

Summary

In the Linux kernel, the following vulnerability has been resolved: mlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show() A warning is seen when running the latest kernel on a BlueField SOC: [251.512704] ------------[ cut here ]------------ [251.512711] invalid sysfs_emit: buf:0000000003aa32ae [251.512720] WARNING: CPU: 1 PID: 705264 at fs/sysfs/file.c:767 sysfs_emit+0xac/0xc8 The warning is triggered because the mlxbf-bootctl driver invokes "sysfs_emit()" with a buffer pointer that is not aligned to the start of the page. The driver should instead use "sysfs_emit_at()" to support non-zero offsets into the destination buffer.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5e1dcc5bfd7a28961…
	https://git.kernel.org/stable/c/b129005ddfc0e6daf…

Impacted products

Vendor

Product

Version

Linux

Affected: 9886f575de5aefcfab537467c72e5176e5301df0 , < 5e1dcc5bfd7a2896178c604bc69d6ab9650967da (git)
Affected: 9886f575de5aefcfab537467c72e5176e5301df0 , < b129005ddfc0e6daf04a6d3b928a9e474f9b3918 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/mellanox/mlxbf-bootctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5e1dcc5bfd7a2896178c604bc69d6ab9650967da",
              "status": "affected",
              "version": "9886f575de5aefcfab537467c72e5176e5301df0",
              "versionType": "git"
            },
            {
              "lessThan": "b129005ddfc0e6daf04a6d3b928a9e474f9b3918",
              "status": "affected",
              "version": "9886f575de5aefcfab537467c72e5176e5301df0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/platform/mellanox/mlxbf-bootctl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show()\n\nA warning is seen when running the latest kernel on a BlueField SOC:\n[251.512704] ------------[ cut here ]------------\n[251.512711] invalid sysfs_emit: buf:0000000003aa32ae\n[251.512720] WARNING: CPU: 1 PID: 705264 at fs/sysfs/file.c:767 sysfs_emit+0xac/0xc8\n\nThe warning is triggered because the mlxbf-bootctl driver invokes\n\"sysfs_emit()\" with a buffer pointer that is not aligned to the\nstart of the page. The driver should instead use \"sysfs_emit_at()\"\nto support non-zero offsets into the destination buffer."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:37.272Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5e1dcc5bfd7a2896178c604bc69d6ab9650967da"
        },
        {
          "url": "https://git.kernel.org/stable/c/b129005ddfc0e6daf04a6d3b928a9e474f9b3918"
        }
      ],
      "title": "mlxbf-bootctl: use sysfs_emit_at() in secure_boot_fuse_state_show()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37866",
    "datePublished": "2025-05-09T06:43:56.128Z",
    "dateReserved": "2025-04-16T04:51:23.959Z",
    "dateUpdated": "2025-05-26T05:22:37.272Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21667 (GCVE-0-2025-21667)

Vulnerability from cvelistv5 – Published: 2025-01-31 11:25 – Updated: 2025-11-03 20:58

Title

iomap: avoid avoid truncating 64-bit offset to 32 bits

Summary

In the Linux kernel, the following vulnerability has been resolved: iomap: avoid avoid truncating 64-bit offset to 32 bits on 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a 32-bit position due to folio_next_index() returning an unsigned long. This could lead to an infinite loop when writing to an xfs filesystem.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7ca4bd6b754913910…
	https://git.kernel.org/stable/c/91371922704c8d820…
	https://git.kernel.org/stable/c/402ce16421477e27f…
	https://git.kernel.org/stable/c/c13094b894de28951…

Impacted products

Vendor

Product

Version

Linux

Affected: 38be53c3fd7f4f4bd5de319a323d72f9f6beb16d , < 7ca4bd6b754913910151acce00be093f03642725 (git)
Affected: f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78 , < 91371922704c8d82049ef7c2ad974d0a2cd1174d (git)
Affected: f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78 , < 402ce16421477e27f30b57d6d1a6dc248fa3a4e4 (git)
Affected: f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78 , < c13094b894de289514d84b8db56d1f2931a0bade (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.1.127 , ≤ 6.1.* (semver)
Unaffected: 6.6.74 , ≤ 6.6.* (semver)
Unaffected: 6.12.11 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21667",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:21.085085Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-835",
                "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:12.595Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:46.039Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/iomap/buffered-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7ca4bd6b754913910151acce00be093f03642725",
              "status": "affected",
              "version": "38be53c3fd7f4f4bd5de319a323d72f9f6beb16d",
              "versionType": "git"
            },
            {
              "lessThan": "91371922704c8d82049ef7c2ad974d0a2cd1174d",
              "status": "affected",
              "version": "f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78",
              "versionType": "git"
            },
            {
              "lessThan": "402ce16421477e27f30b57d6d1a6dc248fa3a4e4",
              "status": "affected",
              "version": "f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78",
              "versionType": "git"
            },
            {
              "lessThan": "c13094b894de289514d84b8db56d1f2931a0bade",
              "status": "affected",
              "version": "f43dc4dc3eff028b5ddddd99f3a66c5a6bdd4e78",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/iomap/buffered-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "6.1.92",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\niomap: avoid avoid truncating 64-bit offset to 32 bits\n\non 32-bit kernels, iomap_write_delalloc_scan() was inadvertently using a\n32-bit position due to folio_next_index() returning an unsigned long.\nThis could lead to an infinite loop when writing to an xfs filesystem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:34.496Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7ca4bd6b754913910151acce00be093f03642725"
        },
        {
          "url": "https://git.kernel.org/stable/c/91371922704c8d82049ef7c2ad974d0a2cd1174d"
        },
        {
          "url": "https://git.kernel.org/stable/c/402ce16421477e27f30b57d6d1a6dc248fa3a4e4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c13094b894de289514d84b8db56d1f2931a0bade"
        }
      ],
      "title": "iomap: avoid avoid truncating 64-bit offset to 32 bits",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21667",
    "datePublished": "2025-01-31T11:25:31.792Z",
    "dateReserved": "2024-12-29T08:45:45.733Z",
    "dateUpdated": "2025-11-03T20:58:46.039Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21887 (GCVE-0-2025-21887)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2025-12-06 21:38

Title

ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up

Summary

In the Linux kernel, the following vulnerability has been resolved: ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up The issue was caused by dput(upper) being called before ovl_dentry_update_reval(), while upper->d_flags was still accessed in ovl_dentry_remote(). Move dput(upper) after its last use to prevent use-after-free. BUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline] BUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114 print_address_description mm/kasan/report.c:377 [inline] print_report+0xc3/0x620 mm/kasan/report.c:488 kasan_report+0xd9/0x110 mm/kasan/report.c:601 ovl_dentry_remote fs/overlayfs/util.c:162 [inline] ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167 ovl_link_up fs/overlayfs/copy_up.c:610 [inline] ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170 ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223 ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136 vfs_rename+0xf84/0x20a0 fs/namei.c:4893 ... </TASK>

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f77618291836168ec…
	https://git.kernel.org/stable/c/4b49d939b5a79117f…
	https://git.kernel.org/stable/c/a7c41830ffcd17b21…
	https://git.kernel.org/stable/c/64455c8051c3aedc7…
	https://git.kernel.org/stable/c/3594aad97e7be2557…
	https://git.kernel.org/stable/c/60b4b5c1277fc491d…
	https://git.kernel.org/stable/c/c84e125fff2615b4d…

Impacted products

Vendor

Product

Version

Linux

Affected: 714ba10a6dd19752a349e59aa875f3288ccb59b9 , < f77618291836168eca99e89cd175256f928f5e64 (git)
Affected: 62f29ca45f832e281fc14966ac25f6ff3bd121ca , < 4b49d939b5a79117f939b77cc67efae2694d9799 (git)
Affected: e4f2a1feebb3f209a0fca82aa53507a5b8be4d53 , < a7c41830ffcd17b2177a95a9b99b270302090c35 (git)
Affected: b07d5cc93e1b28df47a72c519d09d0a836043613 , < 64455c8051c3aedc71abb7ec8d47c80301f99f00 (git)
Affected: b07d5cc93e1b28df47a72c519d09d0a836043613 , < 3594aad97e7be2557ca9fa9c931b206b604028c8 (git)
Affected: b07d5cc93e1b28df47a72c519d09d0a836043613 , < 60b4b5c1277fc491da9e1e7abab307bfa39c2db7 (git)
Affected: b07d5cc93e1b28df47a72c519d09d0a836043613 , < c84e125fff2615b4d9c259e762596134eddd2f27 (git)
Affected: 33ab4dd6202f359558a0a2678b94d1b9994c17e5 (git)
Affected: 1ecdc55e5cd9f70f8d7513802971d4cffb9f77af (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 5.10.247 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21887",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-03-27T16:59:58.510815Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-03-27T17:08:22.888Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:40.259Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/copy_up.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f77618291836168eca99e89cd175256f928f5e64",
              "status": "affected",
              "version": "714ba10a6dd19752a349e59aa875f3288ccb59b9",
              "versionType": "git"
            },
            {
              "lessThan": "4b49d939b5a79117f939b77cc67efae2694d9799",
              "status": "affected",
              "version": "62f29ca45f832e281fc14966ac25f6ff3bd121ca",
              "versionType": "git"
            },
            {
              "lessThan": "a7c41830ffcd17b2177a95a9b99b270302090c35",
              "status": "affected",
              "version": "e4f2a1feebb3f209a0fca82aa53507a5b8be4d53",
              "versionType": "git"
            },
            {
              "lessThan": "64455c8051c3aedc71abb7ec8d47c80301f99f00",
              "status": "affected",
              "version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
              "versionType": "git"
            },
            {
              "lessThan": "3594aad97e7be2557ca9fa9c931b206b604028c8",
              "status": "affected",
              "version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
              "versionType": "git"
            },
            {
              "lessThan": "60b4b5c1277fc491da9e1e7abab307bfa39c2db7",
              "status": "affected",
              "version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
              "versionType": "git"
            },
            {
              "lessThan": "c84e125fff2615b4d9c259e762596134eddd2f27",
              "status": "affected",
              "version": "b07d5cc93e1b28df47a72c519d09d0a836043613",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "33ab4dd6202f359558a0a2678b94d1b9994c17e5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1ecdc55e5cd9f70f8d7513802971d4cffb9f77af",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/copy_up.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.247",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.247",
                  "versionStartIncluding": "5.10.188",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15.121",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "6.1.39",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up\n\nThe issue was caused by dput(upper) being called before\novl_dentry_update_reval(), while upper-\u003ed_flags was still\naccessed in ovl_dentry_remote().\n\nMove dput(upper) after its last use to prevent use-after-free.\n\nBUG: KASAN: slab-use-after-free in ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\nBUG: KASAN: slab-use-after-free in ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n\nCall Trace:\n \u003cTASK\u003e\n __dump_stack lib/dump_stack.c:88 [inline]\n dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114\n print_address_description mm/kasan/report.c:377 [inline]\n print_report+0xc3/0x620 mm/kasan/report.c:488\n kasan_report+0xd9/0x110 mm/kasan/report.c:601\n ovl_dentry_remote fs/overlayfs/util.c:162 [inline]\n ovl_dentry_update_reval+0xd2/0xf0 fs/overlayfs/util.c:167\n ovl_link_up fs/overlayfs/copy_up.c:610 [inline]\n ovl_copy_up_one+0x2105/0x3490 fs/overlayfs/copy_up.c:1170\n ovl_copy_up_flags+0x18d/0x200 fs/overlayfs/copy_up.c:1223\n ovl_rename+0x39e/0x18c0 fs/overlayfs/dir.c:1136\n vfs_rename+0xf84/0x20a0 fs/namei.c:4893\n...\n \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-06T21:38:16.505Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f77618291836168eca99e89cd175256f928f5e64"
        },
        {
          "url": "https://git.kernel.org/stable/c/4b49d939b5a79117f939b77cc67efae2694d9799"
        },
        {
          "url": "https://git.kernel.org/stable/c/a7c41830ffcd17b2177a95a9b99b270302090c35"
        },
        {
          "url": "https://git.kernel.org/stable/c/64455c8051c3aedc71abb7ec8d47c80301f99f00"
        },
        {
          "url": "https://git.kernel.org/stable/c/3594aad97e7be2557ca9fa9c931b206b604028c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/60b4b5c1277fc491da9e1e7abab307bfa39c2db7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c84e125fff2615b4d9c259e762596134eddd2f27"
        }
      ],
      "title": "ovl: fix UAF in ovl_dentry_update_reval by moving dput() in ovl_link_up",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21887",
    "datePublished": "2025-03-27T14:57:14.524Z",
    "dateReserved": "2024-12-29T08:45:45.782Z",
    "dateUpdated": "2025-12-06T21:38:16.505Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21722 (GCVE-0-2025-21722)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:07 – Updated: 2025-11-03 19:36

Title

nilfs2: do not force clear folio if buffer is referenced

Summary

In the Linux kernel, the following vulnerability has been resolved: nilfs2: do not force clear folio if buffer is referenced Patch series "nilfs2: protect busy buffer heads from being force-cleared". This series fixes the buffer head state inconsistency issues reported by syzbot that occurs when the filesystem is corrupted and falls back to read-only, and the associated buffer head use-after-free issue. This patch (of 2): Syzbot has reported that after nilfs2 detects filesystem corruption and falls back to read-only, inconsistencies in the buffer state may occur. One of the inconsistencies is that when nilfs2 calls mark_buffer_dirty() to set a data or metadata buffer as dirty, but it detects that the buffer is not in the uptodate state: WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520 fs/buffer.c:1177 ... Call Trace: <TASK> nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598 nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73 nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344 nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218 vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257 do_mkdirat+0x264/0x3a0 fs/namei.c:4280 __do_sys_mkdirat fs/namei.c:4295 [inline] __se_sys_mkdirat fs/namei.c:4293 [inline] __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f The other is when nilfs_btree_propagate(), which propagates the dirty state to the ancestor nodes of a b-tree that point to a dirty buffer, detects that the origin buffer is not dirty, even though it should be: WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089 nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089 ... Call Trace: <TASK> nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345 nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587 nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006 nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045 nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline] nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline] nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115 nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479 nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline] nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701 kthread+0x2f0/0x390 kernel/kthread.c:389 ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147 ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244 </TASK> Both of these issues are caused by the callbacks that handle the page/folio write requests, forcibly clear various states, including the working state of the buffers they hold, at unexpected times when they detect read-only fallback. Fix these issues by checking if the buffer is referenced before clearing the page/folio state, and skipping the clear if it is.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/7d0544bacc11d6aa2…
	https://git.kernel.org/stable/c/4d042811c72f71be7…
	https://git.kernel.org/stable/c/f51ff43c4c5a6c8e7…
	https://git.kernel.org/stable/c/19296737024cd220a…
	https://git.kernel.org/stable/c/1098bb8d52419d262…
	https://git.kernel.org/stable/c/557ccf5e49f1fb848…
	https://git.kernel.org/stable/c/ca76bb226bf47ff04…

Impacted products

Vendor

Product

Version

Linux

Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 7d0544bacc11d6aa26ecd7debf9353193c7a3328 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 4d042811c72f71be7c14726db2c72b67025a7cb5 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < f51ff43c4c5a6c8e72d0aca89e4d5e688938412f (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 19296737024cd220a1d6590bf4c092bca8c99497 (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 1098bb8d52419d262a3358d099a1598a920b730f (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < 557ccf5e49f1fb848a29698585bcab2e50a597ef (git)
Affected: 8c26c4e2694a163d525976e804d81cd955bbb40c , < ca76bb226bf47ff04c782cacbd299f12ddee1ec1 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21722",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:14:37.739187Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:22:30.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:36:21.865Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/page.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "7d0544bacc11d6aa26ecd7debf9353193c7a3328",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "4d042811c72f71be7c14726db2c72b67025a7cb5",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "f51ff43c4c5a6c8e72d0aca89e4d5e688938412f",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "19296737024cd220a1d6590bf4c092bca8c99497",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "1098bb8d52419d262a3358d099a1598a920b730f",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "557ccf5e49f1fb848a29698585bcab2e50a597ef",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            },
            {
              "lessThan": "ca76bb226bf47ff04c782cacbd299f12ddee1ec1",
              "status": "affected",
              "version": "8c26c4e2694a163d525976e804d81cd955bbb40c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nilfs2/page.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnilfs2: do not force clear folio if buffer is referenced\n\nPatch series \"nilfs2: protect busy buffer heads from being force-cleared\".\n\nThis series fixes the buffer head state inconsistency issues reported by\nsyzbot that occurs when the filesystem is corrupted and falls back to\nread-only, and the associated buffer head use-after-free issue.\n\n\nThis patch (of 2):\n\nSyzbot has reported that after nilfs2 detects filesystem corruption and\nfalls back to read-only, inconsistencies in the buffer state may occur.\n\nOne of the inconsistencies is that when nilfs2 calls mark_buffer_dirty()\nto set a data or metadata buffer as dirty, but it detects that the buffer\nis not in the uptodate state:\n\n WARNING: CPU: 0 PID: 6049 at fs/buffer.c:1177 mark_buffer_dirty+0x2e5/0x520\n  fs/buffer.c:1177\n ...\n Call Trace:\n  \u003cTASK\u003e\n  nilfs_palloc_commit_alloc_entry+0x4b/0x160 fs/nilfs2/alloc.c:598\n  nilfs_ifile_create_inode+0x1dd/0x3a0 fs/nilfs2/ifile.c:73\n  nilfs_new_inode+0x254/0x830 fs/nilfs2/inode.c:344\n  nilfs_mkdir+0x10d/0x340 fs/nilfs2/namei.c:218\n  vfs_mkdir+0x2f9/0x4f0 fs/namei.c:4257\n  do_mkdirat+0x264/0x3a0 fs/namei.c:4280\n  __do_sys_mkdirat fs/namei.c:4295 [inline]\n  __se_sys_mkdirat fs/namei.c:4293 [inline]\n  __x64_sys_mkdirat+0x87/0xa0 fs/namei.c:4293\n  do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n  do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83\n  entry_SYSCALL_64_after_hwframe+0x77/0x7f\n\nThe other is when nilfs_btree_propagate(), which propagates the dirty\nstate to the ancestor nodes of a b-tree that point to a dirty buffer,\ndetects that the origin buffer is not dirty, even though it should be:\n\n WARNING: CPU: 0 PID: 5245 at fs/nilfs2/btree.c:2089\n  nilfs_btree_propagate+0xc79/0xdf0 fs/nilfs2/btree.c:2089\n ...\n Call Trace:\n  \u003cTASK\u003e\n  nilfs_bmap_propagate+0x75/0x120 fs/nilfs2/bmap.c:345\n  nilfs_collect_file_data+0x4d/0xd0 fs/nilfs2/segment.c:587\n  nilfs_segctor_apply_buffers+0x184/0x340 fs/nilfs2/segment.c:1006\n  nilfs_segctor_scan_file+0x28c/0xa50 fs/nilfs2/segment.c:1045\n  nilfs_segctor_collect_blocks fs/nilfs2/segment.c:1216 [inline]\n  nilfs_segctor_collect fs/nilfs2/segment.c:1540 [inline]\n  nilfs_segctor_do_construct+0x1c28/0x6b90 fs/nilfs2/segment.c:2115\n  nilfs_segctor_construct+0x181/0x6b0 fs/nilfs2/segment.c:2479\n  nilfs_segctor_thread_construct fs/nilfs2/segment.c:2587 [inline]\n  nilfs_segctor_thread+0x69e/0xe80 fs/nilfs2/segment.c:2701\n  kthread+0x2f0/0x390 kernel/kthread.c:389\n  ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147\n  ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244\n  \u003c/TASK\u003e\n\nBoth of these issues are caused by the callbacks that handle the\npage/folio write requests, forcibly clear various states, including the\nworking state of the buffers they hold, at unexpected times when they\ndetect read-only fallback.\n\nFix these issues by checking if the buffer is referenced before clearing\nthe page/folio state, and skipping the clear if it is."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:19:46.489Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/7d0544bacc11d6aa26ecd7debf9353193c7a3328"
        },
        {
          "url": "https://git.kernel.org/stable/c/4d042811c72f71be7c14726db2c72b67025a7cb5"
        },
        {
          "url": "https://git.kernel.org/stable/c/f51ff43c4c5a6c8e72d0aca89e4d5e688938412f"
        },
        {
          "url": "https://git.kernel.org/stable/c/19296737024cd220a1d6590bf4c092bca8c99497"
        },
        {
          "url": "https://git.kernel.org/stable/c/1098bb8d52419d262a3358d099a1598a920b730f"
        },
        {
          "url": "https://git.kernel.org/stable/c/557ccf5e49f1fb848a29698585bcab2e50a597ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca76bb226bf47ff04c782cacbd299f12ddee1ec1"
        }
      ],
      "title": "nilfs2: do not force clear folio if buffer is referenced",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21722",
    "datePublished": "2025-02-27T02:07:30.387Z",
    "dateReserved": "2024-12-29T08:45:45.753Z",
    "dateUpdated": "2025-11-03T19:36:21.865Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22013 (GCVE-0-2025-22013)

Vulnerability from cvelistv5 – Published: 2025-04-08 08:18 – Updated: 2025-05-04 07:27

Title

KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state

Summary

In the Linux kernel, the following vulnerability has been resolved: KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state There are several problems with the way hyp code lazily saves the host's FPSIMD/SVE state, including: * Host SVE being discarded unexpectedly due to inconsistent configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to result in QEMU crashes where SVE is used by memmove(), as reported by Eric Auger: https://issues.redhat.com/browse/RHEL-68997 * Host SVE state is discarded *after* modification by ptrace, which was an unintentional ptrace ABI change introduced with lazy discarding of SVE state. * The host FPMR value can be discarded when running a non-protected VM, where FPMR support is not exposed to a VM, and that VM uses FPSIMD/SVE. In these cases the hyp code does not save the host's FPMR before unbinding the host's FPSIMD/SVE/SME state, leaving a stale value in memory. Avoid these by eagerly saving and "flushing" the host's FPSIMD/SVE/SME state when loading a vCPU such that KVM does not need to save any of the host's FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is removed and the necessary call to fpsimd_save_and_flush_cpu_state() is placed in kvm_arch_vcpu_load_fp(). As 'fpsimd_state' and 'fpmr_ptr' should not be used, they are set to NULL; all uses of these will be removed in subsequent patches. Historical problems go back at least as far as v5.17, e.g. erroneous assumptions about TIF_SVE being clear in commit: 8383741ab2e773a9 ("KVM: arm64: Get rid of host SVE tracking/saving") ... and so this eager save+flush probably needs to be backported to ALL stable trees.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5289ac43b69c61a49…
	https://git.kernel.org/stable/c/04c50cc23a492c4d4…
	https://git.kernel.org/stable/c/806d5c1e1d2e55021…
	https://git.kernel.org/stable/c/79e140bba70bcacc5…
	https://git.kernel.org/stable/c/900b444be493b7f40…
	https://git.kernel.org/stable/c/fbc7e61195e23f744…

Impacted products

Vendor

Product

Version

Linux

Affected: c4ab60a86c5ed7c0d727c6dc8cec352e16bc7f90 , < 5289ac43b69c61a49c75720921f2008005a31c43 (git)
Affected: d5f7d3833b534f9e43e548461dba1e60aa82f587 , < 04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e (git)
Affected: 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe , < 806d5c1e1d2e5502175a24bf70f251648d99c36a (git)
Affected: 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe , < 79e140bba70bcacc5fe15bf8c0b958793fd7d56f (git)
Affected: 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe , < 900b444be493b7f404898c785d6605b177a093d0 (git)
Affected: 93ae6b01bafee8fa385aa25ee7ebdb40057f6abe , < fbc7e61195e23f744814e78524b73b59faa54ab4 (git)

Linux

Affected: 6.2
Unaffected: 0 , < 6.2 (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/fpsimd.c",
            "arch/arm64/kvm/fpsimd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5289ac43b69c61a49c75720921f2008005a31c43",
              "status": "affected",
              "version": "c4ab60a86c5ed7c0d727c6dc8cec352e16bc7f90",
              "versionType": "git"
            },
            {
              "lessThan": "04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e",
              "status": "affected",
              "version": "d5f7d3833b534f9e43e548461dba1e60aa82f587",
              "versionType": "git"
            },
            {
              "lessThan": "806d5c1e1d2e5502175a24bf70f251648d99c36a",
              "status": "affected",
              "version": "93ae6b01bafee8fa385aa25ee7ebdb40057f6abe",
              "versionType": "git"
            },
            {
              "lessThan": "79e140bba70bcacc5fe15bf8c0b958793fd7d56f",
              "status": "affected",
              "version": "93ae6b01bafee8fa385aa25ee7ebdb40057f6abe",
              "versionType": "git"
            },
            {
              "lessThan": "900b444be493b7f404898c785d6605b177a093d0",
              "status": "affected",
              "version": "93ae6b01bafee8fa385aa25ee7ebdb40057f6abe",
              "versionType": "git"
            },
            {
              "lessThan": "fbc7e61195e23f744814e78524b73b59faa54ab4",
              "status": "affected",
              "version": "93ae6b01bafee8fa385aa25ee7ebdb40057f6abe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/fpsimd.c",
            "arch/arm64/kvm/fpsimd.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.2"
            },
            {
              "lessThan": "6.2",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nKVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state\n\nThere are several problems with the way hyp code lazily saves the host\u0027s\nFPSIMD/SVE state, including:\n\n* Host SVE being discarded unexpectedly due to inconsistent\n  configuration of TIF_SVE and CPACR_ELx.ZEN. This has been seen to\n  result in QEMU crashes where SVE is used by memmove(), as reported by\n  Eric Auger:\n\n  https://issues.redhat.com/browse/RHEL-68997\n\n* Host SVE state is discarded *after* modification by ptrace, which was an\n  unintentional ptrace ABI change introduced with lazy discarding of SVE state.\n\n* The host FPMR value can be discarded when running a non-protected VM,\n  where FPMR support is not exposed to a VM, and that VM uses\n  FPSIMD/SVE. In these cases the hyp code does not save the host\u0027s FPMR\n  before unbinding the host\u0027s FPSIMD/SVE/SME state, leaving a stale\n  value in memory.\n\nAvoid these by eagerly saving and \"flushing\" the host\u0027s FPSIMD/SVE/SME\nstate when loading a vCPU such that KVM does not need to save any of the\nhost\u0027s FPSIMD/SVE/SME state. For clarity, fpsimd_kvm_prepare() is\nremoved and the necessary call to fpsimd_save_and_flush_cpu_state() is\nplaced in kvm_arch_vcpu_load_fp(). As \u0027fpsimd_state\u0027 and \u0027fpmr_ptr\u0027\nshould not be used, they are set to NULL; all uses of these will be\nremoved in subsequent patches.\n\nHistorical problems go back at least as far as v5.17, e.g. erroneous\nassumptions about TIF_SVE being clear in commit:\n\n  8383741ab2e773a9 (\"KVM: arm64: Get rid of host SVE tracking/saving\")\n\n... and so this eager save+flush probably needs to be backported to ALL\nstable trees."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:37.103Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5289ac43b69c61a49c75720921f2008005a31c43"
        },
        {
          "url": "https://git.kernel.org/stable/c/04c50cc23a492c4d43fdaefc7c1ecc0ff6f7b82e"
        },
        {
          "url": "https://git.kernel.org/stable/c/806d5c1e1d2e5502175a24bf70f251648d99c36a"
        },
        {
          "url": "https://git.kernel.org/stable/c/79e140bba70bcacc5fe15bf8c0b958793fd7d56f"
        },
        {
          "url": "https://git.kernel.org/stable/c/900b444be493b7f404898c785d6605b177a093d0"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbc7e61195e23f744814e78524b73b59faa54ab4"
        }
      ],
      "title": "KVM: arm64: Unconditionally save+flush host FPSIMD/SVE/SME state",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22013",
    "datePublished": "2025-04-08T08:18:04.000Z",
    "dateReserved": "2024-12-29T08:45:45.806Z",
    "dateUpdated": "2025-05-04T07:27:37.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37986 (GCVE-0-2025-37986)

Vulnerability from cvelistv5 – Published: 2025-05-20 17:09 – Updated: 2025-05-26 05:25

Title

usb: typec: class: Invalidate USB device pointers on partner unregistration

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: typec: class: Invalidate USB device pointers on partner unregistration To avoid using invalid USB device pointers after a Type-C partner disconnects, this patch clears the pointers upon partner unregistration. This ensures a clean state for future connections.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/40966fc9939e85677…
	https://git.kernel.org/stable/c/74911338f47c13d1b…
	https://git.kernel.org/stable/c/66e1a887273c6b89f…

Impacted products

Vendor

Product

Version

Linux

Affected: 59de2a56d127890cc610f3896d5fc31887c54ac2 , < 40966fc9939e85677fdb489dfddfa205baaad03b (git)
Affected: 59de2a56d127890cc610f3896d5fc31887c54ac2 , < 74911338f47c13d1b9470fc50718182bffad42e2 (git)
Affected: 59de2a56d127890cc610f3896d5fc31887c54ac2 , < 66e1a887273c6b89f09bc11a40d0a71d5a081a8e (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/class.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "40966fc9939e85677fdb489dfddfa205baaad03b",
              "status": "affected",
              "version": "59de2a56d127890cc610f3896d5fc31887c54ac2",
              "versionType": "git"
            },
            {
              "lessThan": "74911338f47c13d1b9470fc50718182bffad42e2",
              "status": "affected",
              "version": "59de2a56d127890cc610f3896d5fc31887c54ac2",
              "versionType": "git"
            },
            {
              "lessThan": "66e1a887273c6b89f09bc11a40d0a71d5a081a8e",
              "status": "affected",
              "version": "59de2a56d127890cc610f3896d5fc31887c54ac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/typec/class.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: typec: class: Invalidate USB device pointers on partner unregistration\n\nTo avoid using invalid USB device pointers after a Type-C partner\ndisconnects, this patch clears the pointers upon partner unregistration.\nThis ensures a clean state for future connections."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:25:08.944Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/40966fc9939e85677fdb489dfddfa205baaad03b"
        },
        {
          "url": "https://git.kernel.org/stable/c/74911338f47c13d1b9470fc50718182bffad42e2"
        },
        {
          "url": "https://git.kernel.org/stable/c/66e1a887273c6b89f09bc11a40d0a71d5a081a8e"
        }
      ],
      "title": "usb: typec: class: Invalidate USB device pointers on partner unregistration",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37986",
    "datePublished": "2025-05-20T17:09:19.584Z",
    "dateReserved": "2025-04-16T04:51:23.976Z",
    "dateUpdated": "2025-05-26T05:25:08.944Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37980 (GCVE-0-2025-37980)

Vulnerability from cvelistv5 – Published: 2025-05-20 16:58 – Updated: 2025-05-26 05:25

Title

block: fix resource leak in blk_register_queue() error path

Summary

In the Linux kernel, the following vulnerability has been resolved: block: fix resource leak in blk_register_queue() error path When registering a queue fails after blk_mq_sysfs_register() is successful but the function later encounters an error, we need to clean up the blk_mq_sysfs resources. Add the missing blk_mq_sysfs_unregister() call in the error path to properly clean up these resources and prevent a memory leak.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/549cbbd14bbec1246…
	https://git.kernel.org/stable/c/41e43134ddda35949…
	https://git.kernel.org/stable/c/55a7bb2708f7c7c5b…
	https://git.kernel.org/stable/c/40f2eb9b531475dd0…

Impacted products

Vendor

Product

Version

Linux

Affected: 320ae51feed5c2f13664aa05a76bec198967e04d , < 549cbbd14bbec12469ceb279b79c763c8a24224e (git)
Affected: 320ae51feed5c2f13664aa05a76bec198967e04d , < 41e43134ddda35949974be40520460a12dda3502 (git)
Affected: 320ae51feed5c2f13664aa05a76bec198967e04d , < 55a7bb2708f7c7c5b366d4e40916113168a3824c (git)
Affected: 320ae51feed5c2f13664aa05a76bec198967e04d , < 40f2eb9b531475dd01b683fdaf61ca3cfd03a51e (git)

Linux

Affected: 3.13
Unaffected: 0 , < 3.13 (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "block/blk-sysfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "549cbbd14bbec12469ceb279b79c763c8a24224e",
              "status": "affected",
              "version": "320ae51feed5c2f13664aa05a76bec198967e04d",
              "versionType": "git"
            },
            {
              "lessThan": "41e43134ddda35949974be40520460a12dda3502",
              "status": "affected",
              "version": "320ae51feed5c2f13664aa05a76bec198967e04d",
              "versionType": "git"
            },
            {
              "lessThan": "55a7bb2708f7c7c5b366d4e40916113168a3824c",
              "status": "affected",
              "version": "320ae51feed5c2f13664aa05a76bec198967e04d",
              "versionType": "git"
            },
            {
              "lessThan": "40f2eb9b531475dd01b683fdaf61ca3cfd03a51e",
              "status": "affected",
              "version": "320ae51feed5c2f13664aa05a76bec198967e04d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "block/blk-sysfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.13"
            },
            {
              "lessThan": "3.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nblock: fix resource leak in blk_register_queue() error path\n\nWhen registering a queue fails after blk_mq_sysfs_register() is\nsuccessful but the function later encounters an error, we need\nto clean up the blk_mq_sysfs resources.\n\nAdd the missing blk_mq_sysfs_unregister() call in the error path\nto properly clean up these resources and prevent a memory leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:25:00.874Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/549cbbd14bbec12469ceb279b79c763c8a24224e"
        },
        {
          "url": "https://git.kernel.org/stable/c/41e43134ddda35949974be40520460a12dda3502"
        },
        {
          "url": "https://git.kernel.org/stable/c/55a7bb2708f7c7c5b366d4e40916113168a3824c"
        },
        {
          "url": "https://git.kernel.org/stable/c/40f2eb9b531475dd01b683fdaf61ca3cfd03a51e"
        }
      ],
      "title": "block: fix resource leak in blk_register_queue() error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37980",
    "datePublished": "2025-05-20T16:58:22.720Z",
    "dateReserved": "2025-04-16T04:51:23.975Z",
    "dateUpdated": "2025-05-26T05:25:00.874Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21917 (GCVE-0-2025-21917)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

usb: renesas_usbhs: Flush the notify_hotplug_work

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: renesas_usbhs: Flush the notify_hotplug_work When performing continuous unbind/bind operations on the USB drivers available on the Renesas RZ/G2L SoC, a kernel crash with the message "Unable to handle kernel NULL pointer dereference at virtual address" may occur. This issue points to the usbhsc_notify_hotplug() function. Flush the delayed work to avoid its execution when driver resources are unavailable.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4cd847a7b630a8549…
	https://git.kernel.org/stable/c/394965f90454d6f00…
	https://git.kernel.org/stable/c/3248c1f833f924246…
	https://git.kernel.org/stable/c/4ca078084cdd5f32d…
	https://git.kernel.org/stable/c/d50f5c0cd949593eb…
	https://git.kernel.org/stable/c/e5aac1c9b2974636d…
	https://git.kernel.org/stable/c/830818c8e70c0364e…
	https://git.kernel.org/stable/c/552ca6b87e3778f3d…

Impacted products

Vendor

Product

Version

Linux

Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 4cd847a7b630a85493d0294ad9542c21aafaa246 (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 394965f90454d6f00fe11879142b720c6c1a872e (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 3248c1f833f924246cb98ce7da4569133c1b2292 (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 4ca078084cdd5f32d533311d6a0b63a60dcadd41 (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < d50f5c0cd949593eb9a3d822b34d7b50046a06b7 (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < e5aac1c9b2974636db7ce796ffa6de88fa08335e (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 830818c8e70c0364e377f0c243b28061ef7967eb (git)
Affected: bc57381e634782009b1cb2e86b18013699ada576 , < 552ca6b87e3778f3dd5b87842f95138162e16c82 (git)

Linux

Affected: 3.0
Unaffected: 0 , < 3.0 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21917",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:24:08.656222Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:34.122Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:08.336Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/renesas_usbhs/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4cd847a7b630a85493d0294ad9542c21aafaa246",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "394965f90454d6f00fe11879142b720c6c1a872e",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "3248c1f833f924246cb98ce7da4569133c1b2292",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "4ca078084cdd5f32d533311d6a0b63a60dcadd41",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "d50f5c0cd949593eb9a3d822b34d7b50046a06b7",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "e5aac1c9b2974636db7ce796ffa6de88fa08335e",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "830818c8e70c0364e377f0c243b28061ef7967eb",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            },
            {
              "lessThan": "552ca6b87e3778f3dd5b87842f95138162e16c82",
              "status": "affected",
              "version": "bc57381e634782009b1cb2e86b18013699ada576",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/renesas_usbhs/common.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.0"
            },
            {
              "lessThan": "3.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: renesas_usbhs: Flush the notify_hotplug_work\n\nWhen performing continuous unbind/bind operations on the USB drivers\navailable on the Renesas RZ/G2L SoC, a kernel crash with the message\n\"Unable to handle kernel NULL pointer dereference at virtual address\"\nmay occur. This issue points to the usbhsc_notify_hotplug() function.\n\nFlush the delayed work to avoid its execution when driver resources are\nunavailable."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:31.050Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4cd847a7b630a85493d0294ad9542c21aafaa246"
        },
        {
          "url": "https://git.kernel.org/stable/c/394965f90454d6f00fe11879142b720c6c1a872e"
        },
        {
          "url": "https://git.kernel.org/stable/c/3248c1f833f924246cb98ce7da4569133c1b2292"
        },
        {
          "url": "https://git.kernel.org/stable/c/4ca078084cdd5f32d533311d6a0b63a60dcadd41"
        },
        {
          "url": "https://git.kernel.org/stable/c/d50f5c0cd949593eb9a3d822b34d7b50046a06b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/e5aac1c9b2974636db7ce796ffa6de88fa08335e"
        },
        {
          "url": "https://git.kernel.org/stable/c/830818c8e70c0364e377f0c243b28061ef7967eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/552ca6b87e3778f3dd5b87842f95138162e16c82"
        }
      ],
      "title": "usb: renesas_usbhs: Flush the notify_hotplug_work",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21917",
    "datePublished": "2025-04-01T15:40:53.042Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2025-11-03T19:39:08.336Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22001 (GCVE-0-2025-22001)

Vulnerability from cvelistv5 – Published: 2025-04-03 07:19 – Updated: 2025-10-01 17:10

Title

accel/qaic: Fix integer overflow in qaic_validate_req()

Summary

In the Linux kernel, the following vulnerability has been resolved: accel/qaic: Fix integer overflow in qaic_validate_req() These are u64 variables that come from the user via qaic_attach_slice_bo_ioctl(). Use check_add_overflow() to ensure that the math doesn't have an integer wrapping bug.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/4b2a170c25862ad11…
	https://git.kernel.org/stable/c/b362fc904d264a88b…
	https://git.kernel.org/stable/c/57fae0c505f49bb1e…
	https://git.kernel.org/stable/c/67d15c7aa0864dfd8…

Impacted products

Vendor

Product

Version

Linux

Affected: ff13be8303336ead5621712f2c55012d738878b5 , < 4b2a170c25862ad116bd31be6b9841646b4862e8 (git)
Affected: ff13be8303336ead5621712f2c55012d738878b5 , < b362fc904d264a88b4af20baae9e82491c285e9c (git)
Affected: ff13be8303336ead5621712f2c55012d738878b5 , < 57fae0c505f49bb1e3d5660cd2cc49697ed85f7c (git)
Affected: ff13be8303336ead5621712f2c55012d738878b5 , < 67d15c7aa0864dfd82325c7e7e7d8548b5224c7b (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22001",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:10:27.696134Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:10:29.970Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/qaic/qaic_data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "4b2a170c25862ad116bd31be6b9841646b4862e8",
              "status": "affected",
              "version": "ff13be8303336ead5621712f2c55012d738878b5",
              "versionType": "git"
            },
            {
              "lessThan": "b362fc904d264a88b4af20baae9e82491c285e9c",
              "status": "affected",
              "version": "ff13be8303336ead5621712f2c55012d738878b5",
              "versionType": "git"
            },
            {
              "lessThan": "57fae0c505f49bb1e3d5660cd2cc49697ed85f7c",
              "status": "affected",
              "version": "ff13be8303336ead5621712f2c55012d738878b5",
              "versionType": "git"
            },
            {
              "lessThan": "67d15c7aa0864dfd82325c7e7e7d8548b5224c7b",
              "status": "affected",
              "version": "ff13be8303336ead5621712f2c55012d738878b5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/accel/qaic/qaic_data.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\naccel/qaic: Fix integer overflow in qaic_validate_req()\n\nThese are u64 variables that come from the user via\nqaic_attach_slice_bo_ioctl().  Use check_add_overflow() to ensure that\nthe math doesn\u0027t have an integer wrapping bug."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:11.881Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/4b2a170c25862ad116bd31be6b9841646b4862e8"
        },
        {
          "url": "https://git.kernel.org/stable/c/b362fc904d264a88b4af20baae9e82491c285e9c"
        },
        {
          "url": "https://git.kernel.org/stable/c/57fae0c505f49bb1e3d5660cd2cc49697ed85f7c"
        },
        {
          "url": "https://git.kernel.org/stable/c/67d15c7aa0864dfd82325c7e7e7d8548b5224c7b"
        }
      ],
      "title": "accel/qaic: Fix integer overflow in qaic_validate_req()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22001",
    "datePublished": "2025-04-03T07:19:04.251Z",
    "dateReserved": "2024-12-29T08:45:45.802Z",
    "dateUpdated": "2025-10-01T17:10:29.970Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22114 (GCVE-0-2025-22114)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-05-26 05:18

Title

btrfs: don't clobber ret in btrfs_validate_super()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: don't clobber ret in btrfs_validate_super() Commit 2a9bb78cfd36 ("btrfs: validate system chunk array at btrfs_validate_super()") introduces a call to validate_sys_chunk_array() in btrfs_validate_super(), which clobbers the value of ret set earlier. This has the effect of negating the validity checks done earlier, making it so btrfs could potentially try to mount invalid filesystems.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ef6800a2015e706e9…
	https://git.kernel.org/stable/c/9db9c7dd5b4e1d320…

Impacted products

Vendor

Product

Version

Linux

Affected: 2a9bb78cfd367fdeff74f15b1e98969912292d9e , < ef6800a2015e706e9852a5ec15263fec9990d012 (git)
Affected: 2a9bb78cfd367fdeff74f15b1e98969912292d9e , < 9db9c7dd5b4e1d3205137a094805980082c37716 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/disk-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ef6800a2015e706e9852a5ec15263fec9990d012",
              "status": "affected",
              "version": "2a9bb78cfd367fdeff74f15b1e98969912292d9e",
              "versionType": "git"
            },
            {
              "lessThan": "9db9c7dd5b4e1d3205137a094805980082c37716",
              "status": "affected",
              "version": "2a9bb78cfd367fdeff74f15b1e98969912292d9e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/disk-io.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: don\u0027t clobber ret in btrfs_validate_super()\n\nCommit 2a9bb78cfd36 (\"btrfs: validate system chunk array at\nbtrfs_validate_super()\") introduces a call to validate_sys_chunk_array()\nin btrfs_validate_super(), which clobbers the value of ret set earlier.\nThis has the effect of negating the validity checks done earlier, making\nit so btrfs could potentially try to mount invalid filesystems."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:46.580Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ef6800a2015e706e9852a5ec15263fec9990d012"
        },
        {
          "url": "https://git.kernel.org/stable/c/9db9c7dd5b4e1d3205137a094805980082c37716"
        }
      ],
      "title": "btrfs: don\u0027t clobber ret in btrfs_validate_super()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22114",
    "datePublished": "2025-04-16T14:12:59.898Z",
    "dateReserved": "2024-12-29T08:45:45.823Z",
    "dateUpdated": "2025-05-26T05:18:46.580Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22020 (GCVE-0-2025-22020)

Vulnerability from cvelistv5 – Published: 2025-04-16 10:20 – Updated: 2025-11-03 19:41

Title

memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove

Summary

In the Linux kernel, the following vulnerability has been resolved: memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove This fixes the following crash: ================================================================== BUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] Read of size 8 at addr ffff888136335380 by task kworker/6:0/140241 CPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G E 6.14.0-rc6+ #1 Tainted: [E]=UNSIGNED_MODULE Hardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024 Workqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms] Call Trace: <TASK> dump_stack_lvl+0x51/0x70 print_address_description.constprop.0+0x27/0x320 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] print_report+0x3e/0x70 kasan_report+0xab/0xe0 ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms] ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms] ? __pfx___schedule+0x10/0x10 ? kick_pool+0x3b/0x270 process_one_work+0x357/0x660 worker_thread+0x390/0x4c0 ? __pfx_worker_thread+0x10/0x10 kthread+0x190/0x1d0 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x2d/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 161446: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 __kasan_kmalloc+0x7b/0x90 __kmalloc_noprof+0x1a7/0x470 memstick_alloc_host+0x1f/0xe0 [memstick] rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms] platform_probe+0x60/0xe0 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 bus_probe_device+0xbd/0xd0 device_add+0x4a5/0x760 platform_device_add+0x189/0x370 mfd_add_device+0x587/0x5e0 mfd_add_devices+0xb1/0x130 rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb] usb_probe_interface+0x15c/0x460 call_driver_probe+0x35/0x120 really_probe+0x123/0x410 __driver_probe_device+0xc7/0x1e0 driver_probe_device+0x49/0xf0 __device_attach_driver+0xc6/0x160 bus_for_each_drv+0xe4/0x160 __device_attach+0x13a/0x2b0 rebind_marked_interfaces.isra.0+0xcc/0x110 usb_reset_device+0x352/0x410 usbdev_do_ioctl+0xe5c/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 161506: kasan_save_stack+0x20/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x36/0x60 __kasan_slab_free+0x34/0x50 kfree+0x1fd/0x3b0 device_release+0x56/0xf0 kobject_cleanup+0x73/0x1c0 rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms] platform_remove+0x2f/0x50 device_release_driver_internal+0x24b/0x2e0 bus_remove_device+0x124/0x1d0 device_del+0x239/0x530 platform_device_del.part.0+0x19/0xe0 platform_device_unregister+0x1c/0x40 mfd_remove_devices_fn+0x167/0x170 device_for_each_child_reverse+0xc9/0x130 mfd_remove_devices+0x6e/0xa0 rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb] usb_unbind_interface+0xf3/0x3f0 device_release_driver_internal+0x24b/0x2e0 proc_disconnect_claim+0x13d/0x220 usbdev_do_ioctl+0xb5e/0x1860 usbdev_ioctl+0xa/0x20 __x64_sys_ioctl+0xc5/0xf0 do_syscall_64+0x59/0x170 entry_SYSCALL_64_after_hwframe+0x76/0x7e Last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x360 __irq_exit_rcu+0x114/0x130 sysvec_apic_timer_interrupt+0x72/0x90 asm_sysvec_apic_timer_interrupt+0x16/0x20 Second to last potentially related work creation: kasan_save_stack+0x20/0x40 kasan_record_aux_stack+0x85/0x90 insert_work+0x29/0x100 __queue_work+0x34a/0x540 call_timer_fn+0x2a/0x160 expire_timers+0x5f/0x1f0 __run_timer_base.part.0+0x1b6/0x1e0 run_timer_softirq+0x8b/0xe0 handle_softirqs+0xf9/0x ---truncated---

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/914c5e5bfceb9878f…
	https://git.kernel.org/stable/c/9dfaf4d723c62bda8…
	https://git.kernel.org/stable/c/31f0eaed6914333f4…
	https://git.kernel.org/stable/c/52d942a5302eefb3b…
	https://git.kernel.org/stable/c/6186fb2cd36317277…
	https://git.kernel.org/stable/c/b094e8e3988e02e8c…
	https://git.kernel.org/stable/c/0067cb7d7e7c277e9…
	https://git.kernel.org/stable/c/75123adf204f997e1…
	https://git.kernel.org/stable/c/4676741a3464b300b…

Impacted products

Vendor

Product

Version

Linux

Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 9dfaf4d723c62bda8d9d1340e2e78acf0c190439 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 31f0eaed6914333f42501fc7e0f6830879f5ef2d (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 52d942a5302eefb3b7a3bfee310a5a33feeedc21 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 6186fb2cd36317277a8423687982140a7f3f7841 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < b094e8e3988e02e8cef7a756c8d2cea9c12509ab (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 0067cb7d7e7c277e91a0887a3c24e71462379469 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 75123adf204f997e11bbddee48408c284f51c050 (git)
Affected: 6827ca573c03385439fdfc8b512d556dc7c54fc9 , < 4676741a3464b300b486e70585c3c9b692be1632 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.133 , ≤ 6.1.* (semver)
Unaffected: 6.6.86 , ≤ 6.6.* (semver)
Unaffected: 6.12.22 , ≤ 6.12.* (semver)
Unaffected: 6.13.10 , ≤ 6.13.* (semver)
Unaffected: 6.14.1 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22020",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:06:32.262717Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:06:34.836Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:06.526Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/memstick/host/rtsx_usb_ms.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "9dfaf4d723c62bda8d9d1340e2e78acf0c190439",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "31f0eaed6914333f42501fc7e0f6830879f5ef2d",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "52d942a5302eefb3b7a3bfee310a5a33feeedc21",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "6186fb2cd36317277a8423687982140a7f3f7841",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "b094e8e3988e02e8cef7a756c8d2cea9c12509ab",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "0067cb7d7e7c277e91a0887a3c24e71462379469",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "75123adf204f997e11bbddee48408c284f51c050",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            },
            {
              "lessThan": "4676741a3464b300b486e70585c3c9b692be1632",
              "status": "affected",
              "version": "6827ca573c03385439fdfc8b512d556dc7c54fc9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/memstick/host/rtsx_usb_ms.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.133",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.86",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.133",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.86",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.22",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.10",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmemstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove\n\nThis fixes the following crash:\n\n==================================================================\nBUG: KASAN: slab-use-after-free in rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\nRead of size 8 at addr ffff888136335380 by task kworker/6:0/140241\n\nCPU: 6 UID: 0 PID: 140241 Comm: kworker/6:0 Kdump: loaded Tainted: G            E      6.14.0-rc6+ #1\nTainted: [E]=UNSIGNED_MODULE\nHardware name: LENOVO 30FNA1V7CW/1057, BIOS S0EKT54A 07/01/2024\nWorkqueue: events rtsx_usb_ms_poll_card [rtsx_usb_ms]\nCall Trace:\n \u003cTASK\u003e\n dump_stack_lvl+0x51/0x70\n print_address_description.constprop.0+0x27/0x320\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n print_report+0x3e/0x70\n kasan_report+0xab/0xe0\n ? rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n rtsx_usb_ms_poll_card+0x159/0x200 [rtsx_usb_ms]\n ? __pfx_rtsx_usb_ms_poll_card+0x10/0x10 [rtsx_usb_ms]\n ? __pfx___schedule+0x10/0x10\n ? kick_pool+0x3b/0x270\n process_one_work+0x357/0x660\n worker_thread+0x390/0x4c0\n ? __pfx_worker_thread+0x10/0x10\n kthread+0x190/0x1d0\n ? __pfx_kthread+0x10/0x10\n ret_from_fork+0x2d/0x50\n ? __pfx_kthread+0x10/0x10\n ret_from_fork_asm+0x1a/0x30\n \u003c/TASK\u003e\n\nAllocated by task 161446:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n __kasan_kmalloc+0x7b/0x90\n __kmalloc_noprof+0x1a7/0x470\n memstick_alloc_host+0x1f/0xe0 [memstick]\n rtsx_usb_ms_drv_probe+0x47/0x320 [rtsx_usb_ms]\n platform_probe+0x60/0xe0\n call_driver_probe+0x35/0x120\n really_probe+0x123/0x410\n __driver_probe_device+0xc7/0x1e0\n driver_probe_device+0x49/0xf0\n __device_attach_driver+0xc6/0x160\n bus_for_each_drv+0xe4/0x160\n __device_attach+0x13a/0x2b0\n bus_probe_device+0xbd/0xd0\n device_add+0x4a5/0x760\n platform_device_add+0x189/0x370\n mfd_add_device+0x587/0x5e0\n mfd_add_devices+0xb1/0x130\n rtsx_usb_probe+0x28e/0x2e0 [rtsx_usb]\n usb_probe_interface+0x15c/0x460\n call_driver_probe+0x35/0x120\n really_probe+0x123/0x410\n __driver_probe_device+0xc7/0x1e0\n driver_probe_device+0x49/0xf0\n __device_attach_driver+0xc6/0x160\n bus_for_each_drv+0xe4/0x160\n __device_attach+0x13a/0x2b0\n rebind_marked_interfaces.isra.0+0xcc/0x110\n usb_reset_device+0x352/0x410\n usbdev_do_ioctl+0xe5c/0x1860\n usbdev_ioctl+0xa/0x20\n __x64_sys_ioctl+0xc5/0xf0\n do_syscall_64+0x59/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nFreed by task 161506:\n kasan_save_stack+0x20/0x40\n kasan_save_track+0x10/0x30\n kasan_save_free_info+0x36/0x60\n __kasan_slab_free+0x34/0x50\n kfree+0x1fd/0x3b0\n device_release+0x56/0xf0\n kobject_cleanup+0x73/0x1c0\n rtsx_usb_ms_drv_remove+0x13d/0x220 [rtsx_usb_ms]\n platform_remove+0x2f/0x50\n device_release_driver_internal+0x24b/0x2e0\n bus_remove_device+0x124/0x1d0\n device_del+0x239/0x530\n platform_device_del.part.0+0x19/0xe0\n platform_device_unregister+0x1c/0x40\n mfd_remove_devices_fn+0x167/0x170\n device_for_each_child_reverse+0xc9/0x130\n mfd_remove_devices+0x6e/0xa0\n rtsx_usb_disconnect+0x2e/0xd0 [rtsx_usb]\n usb_unbind_interface+0xf3/0x3f0\n device_release_driver_internal+0x24b/0x2e0\n proc_disconnect_claim+0x13d/0x220\n usbdev_do_ioctl+0xb5e/0x1860\n usbdev_ioctl+0xa/0x20\n __x64_sys_ioctl+0xc5/0xf0\n do_syscall_64+0x59/0x170\n entry_SYSCALL_64_after_hwframe+0x76/0x7e\n\nLast potentially related work creation:\n kasan_save_stack+0x20/0x40\n kasan_record_aux_stack+0x85/0x90\n insert_work+0x29/0x100\n __queue_work+0x34a/0x540\n call_timer_fn+0x2a/0x160\n expire_timers+0x5f/0x1f0\n __run_timer_base.part.0+0x1b6/0x1e0\n run_timer_softirq+0x8b/0xe0\n handle_softirqs+0xf9/0x360\n __irq_exit_rcu+0x114/0x130\n sysvec_apic_timer_interrupt+0x72/0x90\n asm_sysvec_apic_timer_interrupt+0x16/0x20\n\nSecond to last potentially related work creation:\n kasan_save_stack+0x20/0x40\n kasan_record_aux_stack+0x85/0x90\n insert_work+0x29/0x100\n __queue_work+0x34a/0x540\n call_timer_fn+0x2a/0x160\n expire_timers+0x5f/0x1f0\n __run_timer_base.part.0+0x1b6/0x1e0\n run_timer_softirq+0x8b/0xe0\n handle_softirqs+0xf9/0x\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:16:43.813Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/914c5e5bfceb9878f3056eaf4d1c88f2cbe0a185"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dfaf4d723c62bda8d9d1340e2e78acf0c190439"
        },
        {
          "url": "https://git.kernel.org/stable/c/31f0eaed6914333f42501fc7e0f6830879f5ef2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/52d942a5302eefb3b7a3bfee310a5a33feeedc21"
        },
        {
          "url": "https://git.kernel.org/stable/c/6186fb2cd36317277a8423687982140a7f3f7841"
        },
        {
          "url": "https://git.kernel.org/stable/c/b094e8e3988e02e8cef7a756c8d2cea9c12509ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/0067cb7d7e7c277e91a0887a3c24e71462379469"
        },
        {
          "url": "https://git.kernel.org/stable/c/75123adf204f997e11bbddee48408c284f51c050"
        },
        {
          "url": "https://git.kernel.org/stable/c/4676741a3464b300b486e70585c3c9b692be1632"
        }
      ],
      "title": "memstick: rtsx_usb_ms: Fix slab-use-after-free in rtsx_usb_ms_drv_remove",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22020",
    "datePublished": "2025-04-16T10:20:37.045Z",
    "dateReserved": "2024-12-29T08:45:45.807Z",
    "dateUpdated": "2025-11-03T19:41:06.526Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37863 (GCVE-0-2025-37863)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:43 – Updated: 2025-05-26 05:22

Title

ovl: don't allow datadir only

Summary

In the Linux kernel, the following vulnerability has been resolved: ovl: don't allow datadir only In theory overlayfs could support upper layer directly referring to a data layer, but there's no current use case for this. Originally, when data-only layers were introduced, this wasn't allowed, only introduced by the "datadir+" feature, but without actually handling this case, resulting in an Oops. Fix by disallowing datadir without lowerdir.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0874b629f65320778…
	https://git.kernel.org/stable/c/b9e3579213ba648fa…
	https://git.kernel.org/stable/c/21d2ffb0e9838a175…
	https://git.kernel.org/stable/c/eb3a04a8516ee9b51…

Impacted products

Vendor

Product

Version

Linux

Affected: cc0918b3582c98f12cfb30bf7496496d14bff3e9 , < 0874b629f65320778e7e3e206177770666d9db18 (git)
Affected: 24e16e385f2272b1a9df51337a5c32d28a29c7ad , < b9e3579213ba648fa23f780e8d53e99011c62331 (git)
Affected: 24e16e385f2272b1a9df51337a5c32d28a29c7ad , < 21d2ffb0e9838a175064c22f3a9de97d1f56f27d (git)
Affected: 24e16e385f2272b1a9df51337a5c32d28a29c7ad , < eb3a04a8516ee9b5174379306f94279fc90424c4 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0874b629f65320778e7e3e206177770666d9db18",
              "status": "affected",
              "version": "cc0918b3582c98f12cfb30bf7496496d14bff3e9",
              "versionType": "git"
            },
            {
              "lessThan": "b9e3579213ba648fa23f780e8d53e99011c62331",
              "status": "affected",
              "version": "24e16e385f2272b1a9df51337a5c32d28a29c7ad",
              "versionType": "git"
            },
            {
              "lessThan": "21d2ffb0e9838a175064c22f3a9de97d1f56f27d",
              "status": "affected",
              "version": "24e16e385f2272b1a9df51337a5c32d28a29c7ad",
              "versionType": "git"
            },
            {
              "lessThan": "eb3a04a8516ee9b5174379306f94279fc90424c4",
              "status": "affected",
              "version": "24e16e385f2272b1a9df51337a5c32d28a29c7ad",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/overlayfs/super.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "6.6.23",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\novl: don\u0027t allow datadir only\n\nIn theory overlayfs could support upper layer directly referring to a data\nlayer, but there\u0027s no current use case for this.\n\nOriginally, when data-only layers were introduced, this wasn\u0027t allowed,\nonly introduced by the \"datadir+\" feature, but without actually handling\nthis case, resulting in an Oops.\n\nFix by disallowing datadir without lowerdir."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:33.385Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0874b629f65320778e7e3e206177770666d9db18"
        },
        {
          "url": "https://git.kernel.org/stable/c/b9e3579213ba648fa23f780e8d53e99011c62331"
        },
        {
          "url": "https://git.kernel.org/stable/c/21d2ffb0e9838a175064c22f3a9de97d1f56f27d"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb3a04a8516ee9b5174379306f94279fc90424c4"
        }
      ],
      "title": "ovl: don\u0027t allow datadir only",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37863",
    "datePublished": "2025-05-09T06:43:54.250Z",
    "dateReserved": "2025-04-16T04:51:23.958Z",
    "dateUpdated": "2025-05-26T05:22:33.385Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22046 (GCVE-0-2025-22046)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-05-26 05:17

Title

uprobes/x86: Harden uretprobe syscall trampoline check

Summary

In the Linux kernel, the following vulnerability has been resolved: uprobes/x86: Harden uretprobe syscall trampoline check Jann reported a possible issue when trampoline_check_ip returns address near the bottom of the address space that is allowed to call into the syscall if uretprobes are not set up: https://lore.kernel.org/bpf/202502081235.5A6F352985@keescook/T/#m9d416df341b8fbc11737dacbcd29f0054413cbbf Though the mmap minimum address restrictions will typically prevent creating mappings there, let's make sure uretprobe syscall checks for that.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c35771342e47d58ab…
	https://git.kernel.org/stable/c/b0065d712049c87e1…
	https://git.kernel.org/stable/c/d4e48b8d59fe16293…
	https://git.kernel.org/stable/c/fa6192adc32f4fdfe…

Impacted products

Vendor

Product

Version

Linux

Affected: ff474a78cef5cb5f32be52fe25b78441327a2e7c , < c35771342e47d58ab9433f3be1c3c30f2c5fa4f3 (git)
Affected: ff474a78cef5cb5f32be52fe25b78441327a2e7c , < b0065d712049c87e1994c6eac00c6a637e39b325 (git)
Affected: ff474a78cef5cb5f32be52fe25b78441327a2e7c , < d4e48b8d59fe162938a5004ace698c847e6a3207 (git)
Affected: ff474a78cef5cb5f32be52fe25b78441327a2e7c , < fa6192adc32f4fdfe5b74edd5b210e12afd6ecc0 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/uprobes.c",
            "include/linux/uprobes.h",
            "kernel/events/uprobes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c35771342e47d58ab9433f3be1c3c30f2c5fa4f3",
              "status": "affected",
              "version": "ff474a78cef5cb5f32be52fe25b78441327a2e7c",
              "versionType": "git"
            },
            {
              "lessThan": "b0065d712049c87e1994c6eac00c6a637e39b325",
              "status": "affected",
              "version": "ff474a78cef5cb5f32be52fe25b78441327a2e7c",
              "versionType": "git"
            },
            {
              "lessThan": "d4e48b8d59fe162938a5004ace698c847e6a3207",
              "status": "affected",
              "version": "ff474a78cef5cb5f32be52fe25b78441327a2e7c",
              "versionType": "git"
            },
            {
              "lessThan": "fa6192adc32f4fdfe5b74edd5b210e12afd6ecc0",
              "status": "affected",
              "version": "ff474a78cef5cb5f32be52fe25b78441327a2e7c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/kernel/uprobes.c",
            "include/linux/uprobes.h",
            "kernel/events/uprobes.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nuprobes/x86: Harden uretprobe syscall trampoline check\n\nJann reported a possible issue when trampoline_check_ip returns\naddress near the bottom of the address space that is allowed to\ncall into the syscall if uretprobes are not set up:\n\n   https://lore.kernel.org/bpf/202502081235.5A6F352985@keescook/T/#m9d416df341b8fbc11737dacbcd29f0054413cbbf\n\nThough the mmap minimum address restrictions will typically prevent\ncreating mappings there, let\u0027s make sure uretprobe syscall checks\nfor that."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:17.791Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c35771342e47d58ab9433f3be1c3c30f2c5fa4f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0065d712049c87e1994c6eac00c6a637e39b325"
        },
        {
          "url": "https://git.kernel.org/stable/c/d4e48b8d59fe162938a5004ace698c847e6a3207"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa6192adc32f4fdfe5b74edd5b210e12afd6ecc0"
        }
      ],
      "title": "uprobes/x86: Harden uretprobe syscall trampoline check",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22046",
    "datePublished": "2025-04-16T14:12:06.454Z",
    "dateReserved": "2024-12-29T08:45:45.810Z",
    "dateUpdated": "2025-05-26T05:17:17.791Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37867 (GCVE-0-2025-37867)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:43 – Updated: 2025-11-03 19:56

Title

RDMA/core: Silence oversized kvmalloc() warning

Summary

In the Linux kernel, the following vulnerability has been resolved: RDMA/core: Silence oversized kvmalloc() warning syzkaller triggered an oversized kvmalloc() warning. Silence it by adding __GFP_NOWARN. syzkaller log: WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180 CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 RIP: 0010:__kvmalloc_node_noprof+0x175/0x180 RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246 RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002 RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000 R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000 R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000 FS: 00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ib_umem_odp_get+0x1f6/0x390 mlx5_ib_reg_user_mr+0x1e8/0x450 ib_uverbs_reg_mr+0x28b/0x440 ib_uverbs_write+0x7d3/0xa30 vfs_write+0x1ac/0x6c0 ksys_write+0x134/0x170 ? __sanitizer_cov_trace_pc+0x1c/0x50 do_syscall_64+0x50/0x110 entry_SYSCALL_64_after_hwframe+0x76/0x7e

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f94ac90ce7bd6f926…
	https://git.kernel.org/stable/c/791daf8240cedf27a…
	https://git.kernel.org/stable/c/6c588e9afbab240c9…
	https://git.kernel.org/stable/c/ae470d06320dea400…
	https://git.kernel.org/stable/c/0d81bb58a203ad5f4…
	https://git.kernel.org/stable/c/f476eba25fdf70faa…
	https://git.kernel.org/stable/c/9a0e6f15029e1a8a2…

Impacted products

Vendor

Product

Version

Linux

Affected: 37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e , < f94ac90ce7bd6f9266ad0d99044ed86e8d1416c1 (git)
Affected: 37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e , < 791daf8240cedf27af8794038ae1d32ef643bce6 (git)
Affected: 37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e , < 6c588e9afbab240c921f936cb676dac72e2e2b66 (git)
Affected: 37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e , < ae470d06320dea4002d441784d691f0a26b4322d (git)
Affected: 37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e , < 0d81bb58a203ad5f4044dc18cfbc230c194f650a (git)
Affected: 37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e , < f476eba25fdf70faa7b19a3e0fb00e65c5b53106 (git)
Affected: 37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e , < 9a0e6f15029e1a8a21e40f06fd05aa52b7f063de (git)

Linux

Affected: 5.4
Unaffected: 0 , < 5.4 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:45.599Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/umem_odp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f94ac90ce7bd6f9266ad0d99044ed86e8d1416c1",
              "status": "affected",
              "version": "37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e",
              "versionType": "git"
            },
            {
              "lessThan": "791daf8240cedf27af8794038ae1d32ef643bce6",
              "status": "affected",
              "version": "37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e",
              "versionType": "git"
            },
            {
              "lessThan": "6c588e9afbab240c921f936cb676dac72e2e2b66",
              "status": "affected",
              "version": "37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e",
              "versionType": "git"
            },
            {
              "lessThan": "ae470d06320dea4002d441784d691f0a26b4322d",
              "status": "affected",
              "version": "37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e",
              "versionType": "git"
            },
            {
              "lessThan": "0d81bb58a203ad5f4044dc18cfbc230c194f650a",
              "status": "affected",
              "version": "37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e",
              "versionType": "git"
            },
            {
              "lessThan": "f476eba25fdf70faa7b19a3e0fb00e65c5b53106",
              "status": "affected",
              "version": "37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e",
              "versionType": "git"
            },
            {
              "lessThan": "9a0e6f15029e1a8a21e40f06fd05aa52b7f063de",
              "status": "affected",
              "version": "37824952dc8fcd96e5c5a1ce9abf3f0ba09b1e5e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/infiniband/core/umem_odp.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.4"
            },
            {
              "lessThan": "5.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRDMA/core: Silence oversized kvmalloc() warning\n\nsyzkaller triggered an oversized kvmalloc() warning.\nSilence it by adding __GFP_NOWARN.\n\nsyzkaller log:\n WARNING: CPU: 7 PID: 518 at mm/util.c:665 __kvmalloc_node_noprof+0x175/0x180\n CPU: 7 UID: 0 PID: 518 Comm: c_repro Not tainted 6.11.0-rc6+ #6\n Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014\n RIP: 0010:__kvmalloc_node_noprof+0x175/0x180\n RSP: 0018:ffffc90001e67c10 EFLAGS: 00010246\n RAX: 0000000000000100 RBX: 0000000000000400 RCX: ffffffff8149d46b\n RDX: 0000000000000000 RSI: ffff8881030fae80 RDI: 0000000000000002\n RBP: 000000712c800000 R08: 0000000000000100 R09: 0000000000000000\n R10: ffffc90001e67c10 R11: 0030ae0601000000 R12: 0000000000000000\n R13: 0000000000000000 R14: 00000000ffffffff R15: 0000000000000000\n FS:  00007fde79159740(0000) GS:ffff88813bdc0000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000020000180 CR3: 0000000105eb4005 CR4: 00000000003706b0\n DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\n DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\n Call Trace:\n  \u003cTASK\u003e\n  ib_umem_odp_get+0x1f6/0x390\n  mlx5_ib_reg_user_mr+0x1e8/0x450\n  ib_uverbs_reg_mr+0x28b/0x440\n  ib_uverbs_write+0x7d3/0xa30\n  vfs_write+0x1ac/0x6c0\n  ksys_write+0x134/0x170\n  ? __sanitizer_cov_trace_pc+0x1c/0x50\n  do_syscall_64+0x50/0x110\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:38.530Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f94ac90ce7bd6f9266ad0d99044ed86e8d1416c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/791daf8240cedf27af8794038ae1d32ef643bce6"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c588e9afbab240c921f936cb676dac72e2e2b66"
        },
        {
          "url": "https://git.kernel.org/stable/c/ae470d06320dea4002d441784d691f0a26b4322d"
        },
        {
          "url": "https://git.kernel.org/stable/c/0d81bb58a203ad5f4044dc18cfbc230c194f650a"
        },
        {
          "url": "https://git.kernel.org/stable/c/f476eba25fdf70faa7b19a3e0fb00e65c5b53106"
        },
        {
          "url": "https://git.kernel.org/stable/c/9a0e6f15029e1a8a21e40f06fd05aa52b7f063de"
        }
      ],
      "title": "RDMA/core: Silence oversized kvmalloc() warning",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37867",
    "datePublished": "2025-05-09T06:43:56.749Z",
    "dateReserved": "2025-04-16T04:51:23.959Z",
    "dateUpdated": "2025-11-03T19:56:45.599Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22032 (GCVE-0-2025-22032)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-10-01 17:05

Title

wifi: mt76: mt7921: fix kernel panic due to null pointer dereference

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: mt76: mt7921: fix kernel panic due to null pointer dereference Address a kernel panic caused by a null pointer dereference in the `mt792x_rx_get_wcid` function. The issue arises because the `deflink` structure is not properly initialized with the `sta` context. This patch ensures that the `deflink` structure is correctly linked to the `sta` context, preventing the null pointer dereference. BUG: kernel NULL pointer dereference, address: 0000000000000400 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI CPU: 0 UID: 0 PID: 470 Comm: mt76-usb-rx phy Not tainted 6.12.13-gentoo-dist #1 Hardware name: /AMD HUDSON-M1, BIOS 4.6.4 11/15/2011 RIP: 0010:mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib] RSP: 0018:ffffa147c055fd98 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff8e9ecb652000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e9ecb652000 RBP: 0000000000000685 R08: ffff8e9ec6570000 R09: 0000000000000000 R10: ffff8e9ecd2ca000 R11: ffff8e9f22a217c0 R12: 0000000038010119 R13: 0000000080843801 R14: ffff8e9ec6570000 R15: ffff8e9ecb652000 FS: 0000000000000000(0000) GS:ffff8e9f22a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000400 CR3: 000000000d2ea000 CR4: 00000000000006f0 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15a/0x2f0 ? search_module_extables+0x19/0x60 ? search_bpf_extables+0x5f/0x80 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib] mt7921_queue_rx_skb+0x1c6/0xaa0 [mt7921_common] mt76u_alloc_queues+0x784/0x810 [mt76_usb] ? __pfx___mt76_worker_fn+0x10/0x10 [mt76] __mt76_worker_fn+0x4f/0x80 [mt76] kthread+0xd2/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x34/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1a/0x30 </TASK> ---[ end trace 0000000000000000 ]---

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0cfea60966e4b1239…
	https://git.kernel.org/stable/c/effec50381991bc06…
	https://git.kernel.org/stable/c/5a57f8eb2a17d469d…
	https://git.kernel.org/stable/c/adc3fd2a2277b7cc0…

Impacted products

Vendor

Product

Version

Linux

Affected: 3fe7acc6f4b42ccb1056c5847f18f8eb2fec0834 , < 0cfea60966e4b1239d20bebf02258295e189e82a (git)
Affected: c9e40880416791287292046917e84bcb3a17e2d2 , < effec50381991bc067acf4b3351a57831c74d27f (git)
Affected: 90c10286b176421068b136da51ed83059a68e322 , < 5a57f8eb2a17d469d65cd1186cea26b798221d4a (git)
Affected: 90c10286b176421068b136da51ed83059a68e322 , < adc3fd2a2277b7cc0b61692463771bf9bd298036 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22032",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:04:59.552136Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:05:03.541Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7921/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0cfea60966e4b1239d20bebf02258295e189e82a",
              "status": "affected",
              "version": "3fe7acc6f4b42ccb1056c5847f18f8eb2fec0834",
              "versionType": "git"
            },
            {
              "lessThan": "effec50381991bc067acf4b3351a57831c74d27f",
              "status": "affected",
              "version": "c9e40880416791287292046917e84bcb3a17e2d2",
              "versionType": "git"
            },
            {
              "lessThan": "5a57f8eb2a17d469d65cd1186cea26b798221d4a",
              "status": "affected",
              "version": "90c10286b176421068b136da51ed83059a68e322",
              "versionType": "git"
            },
            {
              "lessThan": "adc3fd2a2277b7cc0b61692463771bf9bd298036",
              "status": "affected",
              "version": "90c10286b176421068b136da51ed83059a68e322",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/mediatek/mt76/mt7921/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.12.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.13.2",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7921: fix kernel panic due to null pointer dereference\n\nAddress a kernel panic caused by a null pointer dereference in the\n`mt792x_rx_get_wcid` function. The issue arises because the `deflink` structure\nis not properly initialized with the `sta` context. This patch ensures that the\n`deflink` structure is correctly linked to the `sta` context, preventing the\nnull pointer dereference.\n\n BUG: kernel NULL pointer dereference, address: 0000000000000400\n #PF: supervisor read access in kernel mode\n #PF: error_code(0x0000) - not-present page\n PGD 0 P4D 0\n Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n CPU: 0 UID: 0 PID: 470 Comm: mt76-usb-rx phy Not tainted 6.12.13-gentoo-dist #1\n Hardware name:  /AMD HUDSON-M1, BIOS 4.6.4 11/15/2011\n RIP: 0010:mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]\n RSP: 0018:ffffa147c055fd98 EFLAGS: 00010202\n RAX: 0000000000000000 RBX: ffff8e9ecb652000 RCX: 0000000000000000\n RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8e9ecb652000\n RBP: 0000000000000685 R08: ffff8e9ec6570000 R09: 0000000000000000\n R10: ffff8e9ecd2ca000 R11: ffff8e9f22a217c0 R12: 0000000038010119\n R13: 0000000080843801 R14: ffff8e9ec6570000 R15: ffff8e9ecb652000\n FS:  0000000000000000(0000) GS:ffff8e9f22a00000(0000) knlGS:0000000000000000\n CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n CR2: 0000000000000400 CR3: 000000000d2ea000 CR4: 00000000000006f0\n Call Trace:\n  \u003cTASK\u003e\n  ? __die_body.cold+0x19/0x27\n  ? page_fault_oops+0x15a/0x2f0\n  ? search_module_extables+0x19/0x60\n  ? search_bpf_extables+0x5f/0x80\n  ? exc_page_fault+0x7e/0x180\n  ? asm_exc_page_fault+0x26/0x30\n  ? mt792x_rx_get_wcid+0x48/0x140 [mt792x_lib]\n  mt7921_queue_rx_skb+0x1c6/0xaa0 [mt7921_common]\n  mt76u_alloc_queues+0x784/0x810 [mt76_usb]\n  ? __pfx___mt76_worker_fn+0x10/0x10 [mt76]\n  __mt76_worker_fn+0x4f/0x80 [mt76]\n  kthread+0xd2/0x100\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork+0x34/0x50\n  ? __pfx_kthread+0x10/0x10\n  ret_from_fork_asm+0x1a/0x30\n  \u003c/TASK\u003e\n ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:16:59.510Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0cfea60966e4b1239d20bebf02258295e189e82a"
        },
        {
          "url": "https://git.kernel.org/stable/c/effec50381991bc067acf4b3351a57831c74d27f"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a57f8eb2a17d469d65cd1186cea26b798221d4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/adc3fd2a2277b7cc0b61692463771bf9bd298036"
        }
      ],
      "title": "wifi: mt76: mt7921: fix kernel panic due to null pointer dereference",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22032",
    "datePublished": "2025-04-16T14:11:52.044Z",
    "dateReserved": "2024-12-29T08:45:45.808Z",
    "dateUpdated": "2025-10-01T17:05:03.541Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23134 (GCVE-0-2025-23134)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-10-01 16:15

Title

ALSA: timer: Don't take register_mutex with copy_from/to_user()

Summary

In the Linux kernel, the following vulnerability has been resolved: ALSA: timer: Don't take register_mutex with copy_from/to_user() The infamous mmap_lock taken in copy_from/to_user() can be often problematic when it's called inside another mutex, as they might lead to deadlocks. In the case of ALSA timer code, the bad pattern is with guard(mutex)(&register_mutex) that covers copy_from/to_user() -- which was mistakenly introduced at converting to guard(), and it had been carefully worked around in the past. This patch fixes those pieces simply by moving copy_from/to_user() out of the register mutex lock again.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-667 - Improper Locking

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/15291b561d8cc835a…
	https://git.kernel.org/stable/c/296f7a9e15aab276d…
	https://git.kernel.org/stable/c/b074f47e55df93832…
	https://git.kernel.org/stable/c/3424c8f53bc63c877…

Impacted products

Vendor

Product

Version

Linux

Affected: 3923de04c81733b30b8ed667569632272fdfed9a , < 15291b561d8cc835a2eea76b394070cf8e072771 (git)
Affected: 3923de04c81733b30b8ed667569632272fdfed9a , < 296f7a9e15aab276db11206cbc1e2ae1215d7862 (git)
Affected: 3923de04c81733b30b8ed667569632272fdfed9a , < b074f47e55df93832bbbca1b524c501e6fea1c0d (git)
Affected: 3923de04c81733b30b8ed667569632272fdfed9a , < 3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-23134",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T16:15:03.086763Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-667",
                "description": "CWE-667 Improper Locking",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T16:15:15.661Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/core/timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "15291b561d8cc835a2eea76b394070cf8e072771",
              "status": "affected",
              "version": "3923de04c81733b30b8ed667569632272fdfed9a",
              "versionType": "git"
            },
            {
              "lessThan": "296f7a9e15aab276db11206cbc1e2ae1215d7862",
              "status": "affected",
              "version": "3923de04c81733b30b8ed667569632272fdfed9a",
              "versionType": "git"
            },
            {
              "lessThan": "b074f47e55df93832bbbca1b524c501e6fea1c0d",
              "status": "affected",
              "version": "3923de04c81733b30b8ed667569632272fdfed9a",
              "versionType": "git"
            },
            {
              "lessThan": "3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6",
              "status": "affected",
              "version": "3923de04c81733b30b8ed667569632272fdfed9a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/core/timer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nALSA: timer: Don\u0027t take register_mutex with copy_from/to_user()\n\nThe infamous mmap_lock taken in copy_from/to_user() can be often\nproblematic when it\u0027s called inside another mutex, as they might lead\nto deadlocks.\n\nIn the case of ALSA timer code, the bad pattern is with\nguard(mutex)(\u0026register_mutex) that covers copy_from/to_user() -- which\nwas mistakenly introduced at converting to guard(), and it had been\ncarefully worked around in the past.\n\nThis patch fixes those pieces simply by moving copy_from/to_user() out\nof the register mutex lock again."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:12.614Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/15291b561d8cc835a2eea76b394070cf8e072771"
        },
        {
          "url": "https://git.kernel.org/stable/c/296f7a9e15aab276db11206cbc1e2ae1215d7862"
        },
        {
          "url": "https://git.kernel.org/stable/c/b074f47e55df93832bbbca1b524c501e6fea1c0d"
        },
        {
          "url": "https://git.kernel.org/stable/c/3424c8f53bc63c87712a7fc22dc13d0cc85fb0d6"
        }
      ],
      "title": "ALSA: timer: Don\u0027t take register_mutex with copy_from/to_user()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23134",
    "datePublished": "2025-04-16T14:13:15.144Z",
    "dateReserved": "2025-01-11T14:28:41.511Z",
    "dateUpdated": "2025-10-01T16:15:15.661Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37861 (GCVE-0-2025-37861)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:42 – Updated: 2025-05-26 05:22

Title

scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue

Summary

In the Linux kernel, the following vulnerability has been resolved: scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue When the task management thread processes reply queues while the reset thread resets them, the task management thread accesses an invalid queue ID (0xFFFF), set by the reset thread, which points to unallocated memory, causing a crash. Add flag 'io_admin_reset_sync' to synchronize access between the reset, I/O, and admin threads. Before a reset, the reset handler sets this flag to block I/O and admin processing threads. If any thread bypasses the initial check, the reset thread waits up to 10 seconds for processing to finish. If the wait exceeds 10 seconds, the controller is marked as unrecoverable.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/65ba18c84dbd03afe…
	https://git.kernel.org/stable/c/8d310d66e2b0f5f9f…
	https://git.kernel.org/stable/c/75b67dca4195e11cc…
	https://git.kernel.org/stable/c/f195fc060c738d303…

Impacted products

Vendor

Product

Version

Linux

Affected: c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df , < 65ba18c84dbd03afe9b38c06c151239d97a09834 (git)
Affected: c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df , < 8d310d66e2b0f5f9f709764641647e8a3a4924fa (git)
Affected: c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df , < 75b67dca4195e11ccf966a704787b2aa2754a457 (git)
Affected: c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df , < f195fc060c738d303a21fae146dbf85e1595fb4c (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/mpi3mr/mpi3mr.h",
            "drivers/scsi/mpi3mr/mpi3mr_fw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "65ba18c84dbd03afe9b38c06c151239d97a09834",
              "status": "affected",
              "version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
              "versionType": "git"
            },
            {
              "lessThan": "8d310d66e2b0f5f9f709764641647e8a3a4924fa",
              "status": "affected",
              "version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
              "versionType": "git"
            },
            {
              "lessThan": "75b67dca4195e11ccf966a704787b2aa2754a457",
              "status": "affected",
              "version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
              "versionType": "git"
            },
            {
              "lessThan": "f195fc060c738d303a21fae146dbf85e1595fb4c",
              "status": "affected",
              "version": "c4f7ac64616ee513f9ac4ae6c4d8c3cccb6974df",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/scsi/mpi3mr/mpi3mr.h",
            "drivers/scsi/mpi3mr/mpi3mr_fw.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nscsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue\n\nWhen the task management thread processes reply queues while the reset\nthread resets them, the task management thread accesses an invalid queue ID\n(0xFFFF), set by the reset thread, which points to unallocated memory,\ncausing a crash.\n\nAdd flag \u0027io_admin_reset_sync\u0027 to synchronize access between the reset,\nI/O, and admin threads. Before a reset, the reset handler sets this flag to\nblock I/O and admin processing threads. If any thread bypasses the initial\ncheck, the reset thread waits up to 10 seconds for processing to finish. If\nthe wait exceeds 10 seconds, the controller is marked as unrecoverable."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:30.734Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/65ba18c84dbd03afe9b38c06c151239d97a09834"
        },
        {
          "url": "https://git.kernel.org/stable/c/8d310d66e2b0f5f9f709764641647e8a3a4924fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/75b67dca4195e11ccf966a704787b2aa2754a457"
        },
        {
          "url": "https://git.kernel.org/stable/c/f195fc060c738d303a21fae146dbf85e1595fb4c"
        }
      ],
      "title": "scsi: mpi3mr: Synchronous access b/w reset and tm thread for reply queue",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37861",
    "datePublished": "2025-05-09T06:42:07.245Z",
    "dateReserved": "2025-04-16T04:51:23.957Z",
    "dateUpdated": "2025-05-26T05:22:30.734Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37796 (GCVE-0-2025-37796)

Vulnerability from cvelistv5 – Published: 2025-05-01 13:07 – Updated: 2025-11-03 19:55

Title

wifi: at76c50x: fix use after free access in at76_disconnect

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: at76c50x: fix use after free access in at76_disconnect The memory pointed to by priv is freed at the end of at76_delete_device function (using ieee80211_free_hw). But the code then accesses the udev field of the freed object to put the USB device. This may also lead to a memory leak of the usb device. Fix this by using udev from interface.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c731cdfddcf1be159…
	https://git.kernel.org/stable/c/6e4ab3e574c2a335b…
	https://git.kernel.org/stable/c/3c619aec1f538333b…
	https://git.kernel.org/stable/c/5e7df74745700f059…
	https://git.kernel.org/stable/c/7ca513631fa6ad301…
	https://git.kernel.org/stable/c/a9682bfef2cf38025…
	https://git.kernel.org/stable/c/152721cbae42713ec…
	https://git.kernel.org/stable/c/27c7e63b3cb1a20bb…

Impacted products

Vendor

Product

Version

Linux

Affected: 29e20aa6c6aff35c81d4da2e2cd516dadb569061 , < c731cdfddcf1be1590d5ba8c9b508f98e3a2b3d6 (git)
Affected: 29e20aa6c6aff35c81d4da2e2cd516dadb569061 , < 6e4ab3e574c2a335b40fa1f70d1c54fcb58ab33f (git)
Affected: 29e20aa6c6aff35c81d4da2e2cd516dadb569061 , < 3c619aec1f538333b56746d2f796aab1bca5c9a5 (git)
Affected: 29e20aa6c6aff35c81d4da2e2cd516dadb569061 , < 5e7df74745700f059dc117a620e566964a2e8f2c (git)
Affected: 29e20aa6c6aff35c81d4da2e2cd516dadb569061 , < 7ca513631fa6ad3011b8b9197cdde0f351103704 (git)
Affected: 29e20aa6c6aff35c81d4da2e2cd516dadb569061 , < a9682bfef2cf3802515a902e964d774e137be1b9 (git)
Affected: 29e20aa6c6aff35c81d4da2e2cd516dadb569061 , < 152721cbae42713ecfbca6847e0f102ee6b19546 (git)
Affected: 29e20aa6c6aff35c81d4da2e2cd516dadb569061 , < 27c7e63b3cb1a20bb78ed4a36c561ea4579fd7da (git)

Linux

Affected: 3.17
Unaffected: 0 , < 3.17 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:25.591Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/atmel/at76c50x-usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c731cdfddcf1be1590d5ba8c9b508f98e3a2b3d6",
              "status": "affected",
              "version": "29e20aa6c6aff35c81d4da2e2cd516dadb569061",
              "versionType": "git"
            },
            {
              "lessThan": "6e4ab3e574c2a335b40fa1f70d1c54fcb58ab33f",
              "status": "affected",
              "version": "29e20aa6c6aff35c81d4da2e2cd516dadb569061",
              "versionType": "git"
            },
            {
              "lessThan": "3c619aec1f538333b56746d2f796aab1bca5c9a5",
              "status": "affected",
              "version": "29e20aa6c6aff35c81d4da2e2cd516dadb569061",
              "versionType": "git"
            },
            {
              "lessThan": "5e7df74745700f059dc117a620e566964a2e8f2c",
              "status": "affected",
              "version": "29e20aa6c6aff35c81d4da2e2cd516dadb569061",
              "versionType": "git"
            },
            {
              "lessThan": "7ca513631fa6ad3011b8b9197cdde0f351103704",
              "status": "affected",
              "version": "29e20aa6c6aff35c81d4da2e2cd516dadb569061",
              "versionType": "git"
            },
            {
              "lessThan": "a9682bfef2cf3802515a902e964d774e137be1b9",
              "status": "affected",
              "version": "29e20aa6c6aff35c81d4da2e2cd516dadb569061",
              "versionType": "git"
            },
            {
              "lessThan": "152721cbae42713ecfbca6847e0f102ee6b19546",
              "status": "affected",
              "version": "29e20aa6c6aff35c81d4da2e2cd516dadb569061",
              "versionType": "git"
            },
            {
              "lessThan": "27c7e63b3cb1a20bb78ed4a36c561ea4579fd7da",
              "status": "affected",
              "version": "29e20aa6c6aff35c81d4da2e2cd516dadb569061",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/atmel/at76c50x-usb.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.17"
            },
            {
              "lessThan": "3.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "3.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: at76c50x: fix use after free access in at76_disconnect\n\nThe memory pointed to by priv is freed at the end of at76_delete_device\nfunction (using ieee80211_free_hw). But the code then accesses the udev\nfield of the freed object to put the USB device. This may also lead to a\nmemory leak of the usb device. Fix this by using udev from interface."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:03.759Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c731cdfddcf1be1590d5ba8c9b508f98e3a2b3d6"
        },
        {
          "url": "https://git.kernel.org/stable/c/6e4ab3e574c2a335b40fa1f70d1c54fcb58ab33f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c619aec1f538333b56746d2f796aab1bca5c9a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e7df74745700f059dc117a620e566964a2e8f2c"
        },
        {
          "url": "https://git.kernel.org/stable/c/7ca513631fa6ad3011b8b9197cdde0f351103704"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9682bfef2cf3802515a902e964d774e137be1b9"
        },
        {
          "url": "https://git.kernel.org/stable/c/152721cbae42713ecfbca6847e0f102ee6b19546"
        },
        {
          "url": "https://git.kernel.org/stable/c/27c7e63b3cb1a20bb78ed4a36c561ea4579fd7da"
        }
      ],
      "title": "wifi: at76c50x: fix use after free access in at76_disconnect",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37796",
    "datePublished": "2025-05-01T13:07:27.694Z",
    "dateReserved": "2025-04-16T04:51:23.941Z",
    "dateUpdated": "2025-11-03T19:55:25.591Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22056 (GCVE-0-2025-22056)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-11-03 19:41

Title

netfilter: nft_tunnel: fix geneve_opt type confusion addition

Summary

In the Linux kernel, the following vulnerability has been resolved: netfilter: nft_tunnel: fix geneve_opt type confusion addition When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of char *. However, the current implementation erroneously does type conversion before the addition, which will lead to heap out-of-bounds write. [ 6.989857] ================================================================== [ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70 [ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178 [ 6.991162] [ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1 [ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 6.992281] Call Trace: [ 6.992423] <TASK> [ 6.992586] dump_stack_lvl+0x44/0x5c [ 6.992801] print_report+0x184/0x4be [ 6.993790] kasan_report+0xc5/0x100 [ 6.994252] kasan_check_range+0xf3/0x1a0 [ 6.994486] memcpy+0x38/0x60 [ 6.994692] nft_tunnel_obj_init+0x977/0xa70 [ 6.995677] nft_obj_init+0x10c/0x1b0 [ 6.995891] nf_tables_newobj+0x585/0x950 [ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020 [ 6.998997] nfnetlink_rcv+0x1df/0x220 [ 6.999537] netlink_unicast+0x395/0x530 [ 7.000771] netlink_sendmsg+0x3d0/0x6d0 [ 7.001462] __sock_sendmsg+0x99/0xa0 [ 7.001707] ____sys_sendmsg+0x409/0x450 [ 7.002391] ___sys_sendmsg+0xfd/0x170 [ 7.003145] __sys_sendmsg+0xea/0x170 [ 7.004359] do_syscall_64+0x5e/0x90 [ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 7.006127] RIP: 0033:0x7ec756d4e407 [ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407 [ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003 [ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000 [ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8 Fix this bug with correct pointer addition and conversion in parse and dump code.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/31d49eb436f2da612…
	https://git.kernel.org/stable/c/ca2adfc03cd6273f0…
	https://git.kernel.org/stable/c/a263d31c8c92e5919…
	https://git.kernel.org/stable/c/28d88ee1e1cc8ac2d…
	https://git.kernel.org/stable/c/0a93a710d6df334b8…
	https://git.kernel.org/stable/c/446d94898c560ed2f…
	https://git.kernel.org/stable/c/708e268acb3a446ad…
	https://git.kernel.org/stable/c/1b755d8eb1ace3870…

Impacted products

Vendor

Product

Version

Linux

Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 31d49eb436f2da61280508d7adf8c9b473b967aa (git)
Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < ca2adfc03cd6273f0b589fe65afc6f75e0fe116e (git)
Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < a263d31c8c92e5919d41af57d9479cfb66323782 (git)
Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 28d88ee1e1cc8ac2d79aeb112717b97c5c833d43 (git)
Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 0a93a710d6df334b828ea064c6d39fda34f901dc (git)
Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 446d94898c560ed2f61e26ae445858a4c4830762 (git)
Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 708e268acb3a446ad2a8a3d2e9bd41cc23660cd6 (git)
Affected: 925d844696d9287f841d6b3e0ed62a35fb175970 , < 1b755d8eb1ace3870789d48fbd94f386ad6e30be (git)

Linux

Affected: 5.7
Unaffected: 0 , < 5.7 (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22056",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:41:22.716014Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:41:26.294Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:41.225Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_tunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "31d49eb436f2da61280508d7adf8c9b473b967aa",
              "status": "affected",
              "version": "925d844696d9287f841d6b3e0ed62a35fb175970",
              "versionType": "git"
            },
            {
              "lessThan": "ca2adfc03cd6273f0b589fe65afc6f75e0fe116e",
              "status": "affected",
              "version": "925d844696d9287f841d6b3e0ed62a35fb175970",
              "versionType": "git"
            },
            {
              "lessThan": "a263d31c8c92e5919d41af57d9479cfb66323782",
              "status": "affected",
              "version": "925d844696d9287f841d6b3e0ed62a35fb175970",
              "versionType": "git"
            },
            {
              "lessThan": "28d88ee1e1cc8ac2d79aeb112717b97c5c833d43",
              "status": "affected",
              "version": "925d844696d9287f841d6b3e0ed62a35fb175970",
              "versionType": "git"
            },
            {
              "lessThan": "0a93a710d6df334b828ea064c6d39fda34f901dc",
              "status": "affected",
              "version": "925d844696d9287f841d6b3e0ed62a35fb175970",
              "versionType": "git"
            },
            {
              "lessThan": "446d94898c560ed2f61e26ae445858a4c4830762",
              "status": "affected",
              "version": "925d844696d9287f841d6b3e0ed62a35fb175970",
              "versionType": "git"
            },
            {
              "lessThan": "708e268acb3a446ad2a8a3d2e9bd41cc23660cd6",
              "status": "affected",
              "version": "925d844696d9287f841d6b3e0ed62a35fb175970",
              "versionType": "git"
            },
            {
              "lessThan": "1b755d8eb1ace3870789d48fbd94f386ad6e30be",
              "status": "affected",
              "version": "925d844696d9287f841d6b3e0ed62a35fb175970",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/netfilter/nft_tunnel.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.7"
            },
            {
              "lessThan": "5.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfilter: nft_tunnel: fix geneve_opt type confusion addition\n\nWhen handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the\nparsing logic should place every geneve_opt structure one by one\ncompactly. Hence, when deciding the next geneve_opt position, the\npointer addition should be in units of char *.\n\nHowever, the current implementation erroneously does type conversion\nbefore the addition, which will lead to heap out-of-bounds write.\n\n[    6.989857] ==================================================================\n[    6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70\n[    6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178\n[    6.991162]\n[    6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1\n[    6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014\n[    6.992281] Call Trace:\n[    6.992423]  \u003cTASK\u003e\n[    6.992586]  dump_stack_lvl+0x44/0x5c\n[    6.992801]  print_report+0x184/0x4be\n[    6.993790]  kasan_report+0xc5/0x100\n[    6.994252]  kasan_check_range+0xf3/0x1a0\n[    6.994486]  memcpy+0x38/0x60\n[    6.994692]  nft_tunnel_obj_init+0x977/0xa70\n[    6.995677]  nft_obj_init+0x10c/0x1b0\n[    6.995891]  nf_tables_newobj+0x585/0x950\n[    6.996922]  nfnetlink_rcv_batch+0xdf9/0x1020\n[    6.998997]  nfnetlink_rcv+0x1df/0x220\n[    6.999537]  netlink_unicast+0x395/0x530\n[    7.000771]  netlink_sendmsg+0x3d0/0x6d0\n[    7.001462]  __sock_sendmsg+0x99/0xa0\n[    7.001707]  ____sys_sendmsg+0x409/0x450\n[    7.002391]  ___sys_sendmsg+0xfd/0x170\n[    7.003145]  __sys_sendmsg+0xea/0x170\n[    7.004359]  do_syscall_64+0x5e/0x90\n[    7.005817]  entry_SYSCALL_64_after_hwframe+0x6e/0xd8\n[    7.006127] RIP: 0033:0x7ec756d4e407\n[    7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 \u003c5b\u003e c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf\n[    7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e\n[    7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407\n[    7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003\n[    7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000\n[    7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000\n[    7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8\n\nFix this bug with correct pointer addition and conversion in parse\nand dump code."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:30.555Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/31d49eb436f2da61280508d7adf8c9b473b967aa"
        },
        {
          "url": "https://git.kernel.org/stable/c/ca2adfc03cd6273f0b589fe65afc6f75e0fe116e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a263d31c8c92e5919d41af57d9479cfb66323782"
        },
        {
          "url": "https://git.kernel.org/stable/c/28d88ee1e1cc8ac2d79aeb112717b97c5c833d43"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a93a710d6df334b828ea064c6d39fda34f901dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/446d94898c560ed2f61e26ae445858a4c4830762"
        },
        {
          "url": "https://git.kernel.org/stable/c/708e268acb3a446ad2a8a3d2e9bd41cc23660cd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b755d8eb1ace3870789d48fbd94f386ad6e30be"
        }
      ],
      "title": "netfilter: nft_tunnel: fix geneve_opt type confusion addition",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22056",
    "datePublished": "2025-04-16T14:12:13.440Z",
    "dateReserved": "2024-12-29T08:45:45.812Z",
    "dateUpdated": "2025-11-03T19:41:41.225Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-38001 (GCVE-0-2025-38001)

Vulnerability from cvelistv5 – Published: 2025-06-06 13:41 – Updated: 2025-11-03 17:33

Title

net_sched: hfsc: Address reentrant enqueue adding class to eltree twice

Summary

In the Linux kernel, the following vulnerability has been resolved: net_sched: hfsc: Address reentrant enqueue adding class to eltree twice Savino says: "We are writing to report that this recent patch (141d34391abbb315d68556b7c67ad97885407547) [1] can be bypassed, and a UAF can still occur when HFSC is utilized with NETEM. The patch only checks the cl->cl_nactive field to determine whether it is the first insertion or not [2], but this field is only incremented by init_vf [3]. By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the check and insert the class twice in the eltree. Under normal conditions, this would lead to an infinite loop in hfsc_dequeue for the reasons we already explained in this report [5]. However, if TBF is added as root qdisc and it is configured with a very low rate, it can be utilized to prevent packets from being dequeued. This behavior can be exploited to perform subsequent insertions in the HFSC eltree and cause a UAF." To fix both the UAF and the infinite loop, with netem as an hfsc child, check explicitly in hfsc_enqueue whether the class is already in the eltree whenever the HFSC_RSC flag is set. [1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547 [2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572 [3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677 [4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574 [5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e5bee633cc2764103…
	https://git.kernel.org/stable/c/6672e6c00810056ac…
	https://git.kernel.org/stable/c/2c928b3a0b04a431f…
	https://git.kernel.org/stable/c/a0ec22fa20b252edb…
	https://git.kernel.org/stable/c/295f7c579b07b5b7c…
	https://git.kernel.org/stable/c/2f2190ce4ca972051…
	https://git.kernel.org/stable/c/4e38eaaabfb7fffbb…
	https://git.kernel.org/stable/c/39ed887b1dd2d6b72…
	https://git.kernel.org/stable/c/ac9fe7dd8e730a103…

Impacted products

Vendor

Product

Version

Linux

Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < e5bee633cc276410337d54b99f77fbc1ad8801e5 (git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 6672e6c00810056acaac019fe26cdc26fee8a66c (git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 2c928b3a0b04a431ffcd6c8b7d88a267124a3a28 (git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < a0ec22fa20b252edbe070a9de8501eef63c17ef5 (git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 295f7c579b07b5b7cf2dffe485f71cc2f27647cb (git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 2f2190ce4ca972051cac6a8d7937448f8cb9673c (git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 4e38eaaabfb7fffbb371a51150203e19eee5d70e (git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < 39ed887b1dd2d6b720f87e86692ac3006cc111c8 (git)
Affected: 37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea , < ac9fe7dd8e730a103ae4481147395cc73492d786 (git)

Linux

Affected: 5.0
Unaffected: 0 , < 5.0 (semver)
Unaffected: 5.4.294 , ≤ 5.4.* (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.185 , ≤ 5.15.* (semver)
Unaffected: 6.1.141 , ≤ 6.1.* (semver)
Unaffected: 6.6.93 , ≤ 6.6.* (semver)
Unaffected: 6.12.32 , ≤ 6.12.* (semver)
Unaffected: 6.14.10 , ≤ 6.14.* (semver)
Unaffected: 6.15.1 , ≤ 6.15.* (semver)
Unaffected: 6.16 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T17:33:00.634Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://syst3mfailure.io/rbtree-family-drama/"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00008.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_hfsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e5bee633cc276410337d54b99f77fbc1ad8801e5",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "6672e6c00810056acaac019fe26cdc26fee8a66c",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "2c928b3a0b04a431ffcd6c8b7d88a267124a3a28",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "a0ec22fa20b252edbe070a9de8501eef63c17ef5",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "295f7c579b07b5b7cf2dffe485f71cc2f27647cb",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "2f2190ce4ca972051cac6a8d7937448f8cb9673c",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "4e38eaaabfb7fffbb371a51150203e19eee5d70e",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "39ed887b1dd2d6b720f87e86692ac3006cc111c8",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            },
            {
              "lessThan": "ac9fe7dd8e730a103ae4481147395cc73492d786",
              "status": "affected",
              "version": "37d9cf1a3ce35de3df6f7d209bfb1f50cf188cea",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/sched/sch_hfsc.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.0"
            },
            {
              "lessThan": "5.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.185",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.141",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.93",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.32",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.15.*",
              "status": "unaffected",
              "version": "6.15.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.16",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.185",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.141",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.93",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.32",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.10",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15.1",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.16",
                  "versionStartIncluding": "5.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet_sched: hfsc: Address reentrant enqueue adding class to eltree twice\n\nSavino says:\n    \"We are writing to report that this recent patch\n    (141d34391abbb315d68556b7c67ad97885407547) [1]\n    can be bypassed, and a UAF can still occur when HFSC is utilized with\n    NETEM.\n\n    The patch only checks the cl-\u003ecl_nactive field to determine whether\n    it is the first insertion or not [2], but this field is only\n    incremented by init_vf [3].\n\n    By using HFSC_RSC (which uses init_ed) [4], it is possible to bypass the\n    check and insert the class twice in the eltree.\n    Under normal conditions, this would lead to an infinite loop in\n    hfsc_dequeue for the reasons we already explained in this report [5].\n\n    However, if TBF is added as root qdisc and it is configured with a\n    very low rate,\n    it can be utilized to prevent packets from being dequeued.\n    This behavior can be exploited to perform subsequent insertions in the\n    HFSC eltree and cause a UAF.\"\n\nTo fix both the UAF and the infinite loop, with netem as an hfsc child,\ncheck explicitly in hfsc_enqueue whether the class is already in the eltree\nwhenever the HFSC_RSC flag is set.\n\n[1] https://web.git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=141d34391abbb315d68556b7c67ad97885407547\n[2] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1572\n[3] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L677\n[4] https://elixir.bootlin.com/linux/v6.15-rc5/source/net/sched/sch_hfsc.c#L1574\n[5] https://lore.kernel.org/netdev/8DuRWwfqjoRDLDmBMlIfbrsZg9Gx50DHJc1ilxsEBNe2D6NMoigR_eIRIG0LOjMc3r10nUUZtArXx4oZBIdUfZQrwjcQhdinnMis_0G7VEk=@willsroot.io/T/#u"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-28T04:11:54.147Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e5bee633cc276410337d54b99f77fbc1ad8801e5"
        },
        {
          "url": "https://git.kernel.org/stable/c/6672e6c00810056acaac019fe26cdc26fee8a66c"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c928b3a0b04a431ffcd6c8b7d88a267124a3a28"
        },
        {
          "url": "https://git.kernel.org/stable/c/a0ec22fa20b252edbe070a9de8501eef63c17ef5"
        },
        {
          "url": "https://git.kernel.org/stable/c/295f7c579b07b5b7cf2dffe485f71cc2f27647cb"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f2190ce4ca972051cac6a8d7937448f8cb9673c"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e38eaaabfb7fffbb371a51150203e19eee5d70e"
        },
        {
          "url": "https://git.kernel.org/stable/c/39ed887b1dd2d6b720f87e86692ac3006cc111c8"
        },
        {
          "url": "https://git.kernel.org/stable/c/ac9fe7dd8e730a103ae4481147395cc73492d786"
        }
      ],
      "title": "net_sched: hfsc: Address reentrant enqueue adding class to eltree twice",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-38001",
    "datePublished": "2025-06-06T13:41:45.462Z",
    "dateReserved": "2025-04-16T04:51:23.976Z",
    "dateUpdated": "2025-11-03T17:33:00.634Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37852 (GCVE-0-2025-37852)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:41 – Updated: 2026-01-02 15:29

Title

drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create() Add error handling to propagate amdgpu_cgs_create_device() failures to the caller. When amdgpu_cgs_create_device() fails, release hwmgr and return -ENOMEM to prevent null pointer dereference. [v1]->[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/55ef52c30c3e747f1…
	https://git.kernel.org/stable/c/f8693e1bae9c08233…
	https://git.kernel.org/stable/c/dc4380f34613eaae9…
	https://git.kernel.org/stable/c/22ea19cc089013b55…
	https://git.kernel.org/stable/c/b784734811438f115…
	https://git.kernel.org/stable/c/1435e895d4fc967d6…

Impacted products

Vendor

Product

Version

Linux

Affected: b905090d2bae2e6189511714a7b88691b439c5a1 , < 55ef52c30c3e747f145a64de96192e37a8fed670 (git)
Affected: b905090d2bae2e6189511714a7b88691b439c5a1 , < f8693e1bae9c08233a2f535c3f412e157df32b33 (git)
Affected: b905090d2bae2e6189511714a7b88691b439c5a1 , < dc4380f34613eaae997b3ed263bd1cb3d0fd0075 (git)
Affected: b905090d2bae2e6189511714a7b88691b439c5a1 , < 22ea19cc089013b55c240134dbb2797700ff5a6a (git)
Affected: b905090d2bae2e6189511714a7b88691b439c5a1 , < b784734811438f11533e2fb9e0deb327844bdb56 (git)
Affected: b905090d2bae2e6189511714a7b88691b439c5a1 , < 1435e895d4fc967d64e9f5bf81e992ac32f5ac76 (git)

Linux

Affected: 4.17
Unaffected: 0 , < 4.17 (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:29.052Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "55ef52c30c3e747f145a64de96192e37a8fed670",
              "status": "affected",
              "version": "b905090d2bae2e6189511714a7b88691b439c5a1",
              "versionType": "git"
            },
            {
              "lessThan": "f8693e1bae9c08233a2f535c3f412e157df32b33",
              "status": "affected",
              "version": "b905090d2bae2e6189511714a7b88691b439c5a1",
              "versionType": "git"
            },
            {
              "lessThan": "dc4380f34613eaae997b3ed263bd1cb3d0fd0075",
              "status": "affected",
              "version": "b905090d2bae2e6189511714a7b88691b439c5a1",
              "versionType": "git"
            },
            {
              "lessThan": "22ea19cc089013b55c240134dbb2797700ff5a6a",
              "status": "affected",
              "version": "b905090d2bae2e6189511714a7b88691b439c5a1",
              "versionType": "git"
            },
            {
              "lessThan": "b784734811438f11533e2fb9e0deb327844bdb56",
              "status": "affected",
              "version": "b905090d2bae2e6189511714a7b88691b439c5a1",
              "versionType": "git"
            },
            {
              "lessThan": "1435e895d4fc967d64e9f5bf81e992ac32f5ac76",
              "status": "affected",
              "version": "b905090d2bae2e6189511714a7b88691b439c5a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/pm/powerplay/amd_powerplay.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.17"
            },
            {
              "lessThan": "4.17",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.17",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()\n\nAdd error handling to propagate amdgpu_cgs_create_device() failures\nto the caller. When amdgpu_cgs_create_device() fails, release hwmgr\nand return -ENOMEM to prevent null pointer dereference.\n\n[v1]-\u003e[v2]: Change error code from -EINVAL to -ENOMEM. Free hwmgr."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:15.856Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/55ef52c30c3e747f145a64de96192e37a8fed670"
        },
        {
          "url": "https://git.kernel.org/stable/c/f8693e1bae9c08233a2f535c3f412e157df32b33"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc4380f34613eaae997b3ed263bd1cb3d0fd0075"
        },
        {
          "url": "https://git.kernel.org/stable/c/22ea19cc089013b55c240134dbb2797700ff5a6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b784734811438f11533e2fb9e0deb327844bdb56"
        },
        {
          "url": "https://git.kernel.org/stable/c/1435e895d4fc967d64e9f5bf81e992ac32f5ac76"
        }
      ],
      "title": "drm/amdgpu: handle amdgpu_cgs_create_device() errors in amd_powerplay_create()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37852",
    "datePublished": "2025-05-09T06:41:59.094Z",
    "dateReserved": "2025-04-16T04:51:23.955Z",
    "dateUpdated": "2026-01-02T15:29:15.856Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37864 (GCVE-0-2025-37864)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:43 – Updated: 2025-05-26 05:22

Title

net: dsa: clean up FDB, MDB, VLAN entries on unbind

Summary

In the Linux kernel, the following vulnerability has been resolved: net: dsa: clean up FDB, MDB, VLAN entries on unbind As explained in many places such as commit b117e1e8a86d ("net: dsa: delete dsa_legacy_fdb_add and dsa_legacy_fdb_del"), DSA is written given the assumption that higher layers have balanced additions/deletions. As such, it only makes sense to be extremely vocal when those assumptions are violated and the driver unbinds with entries still present. But Ido Schimmel points out a very simple situation where that is wrong: https://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/ (also briefly discussed by me in the aforementioned commit). Basically, while the bridge bypass operations are not something that DSA explicitly documents, and for the majority of DSA drivers this API simply causes them to go to promiscuous mode, that isn't the case for all drivers. Some have the necessary requirements for bridge bypass operations to do something useful - see dsa_switch_supports_uc_filtering(). Although in tools/testing/selftests/net/forwarding/local_termination.sh, we made an effort to popularize better mechanisms to manage address filters on DSA interfaces from user space - namely macvlan for unicast, and setsockopt(IP_ADD_MEMBERSHIP) - through mtools - for multicast, the fact is that 'bridge fdb add ... self static local' also exists as kernel UAPI, and might be useful to someone, even if only for a quick hack. It seems counter-productive to block that path by implementing shim .ndo_fdb_add and .ndo_fdb_del operations which just return -EOPNOTSUPP in order to prevent the ndo_dflt_fdb_add() and ndo_dflt_fdb_del() from running, although we could do that. Accepting that cleanup is necessary seems to be the only option. Especially since we appear to be coming back at this from a different angle as well. Russell King is noticing that the WARN_ON() triggers even for VLANs: https://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/ What happens in the bug report above is that dsa_port_do_vlan_del() fails, then the VLAN entry lingers on, and then we warn on unbind and leak it. This is not a straight revert of the blamed commit, but we now add an informational print to the kernel log (to still have a way to see that bugs exist), and some extra comments gathered from past years' experience, to justify the logic.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/86c6613a69bca815f…
	https://git.kernel.org/stable/c/8fcc1e6f808912977…
	https://git.kernel.org/stable/c/99c50c98803425378…
	https://git.kernel.org/stable/c/7afb5fb42d4950f33…

Impacted products

Vendor

Product

Version

Linux

Affected: 0832cd9f1f023226527e95002d537123061ddac4 , < 86c6613a69bca815f1865ed8cedfd4b9142621ab (git)
Affected: 0832cd9f1f023226527e95002d537123061ddac4 , < 8fcc1e6f808912977caf17366c625b95dc29ba4f (git)
Affected: 0832cd9f1f023226527e95002d537123061ddac4 , < 99c50c98803425378e08a7394dc885506dc85f06 (git)
Affected: 0832cd9f1f023226527e95002d537123061ddac4 , < 7afb5fb42d4950f33af2732b8147c552659f79b7 (git)

Linux

Affected: 5.18
Unaffected: 0 , < 5.18 (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/dsa/dsa.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "86c6613a69bca815f1865ed8cedfd4b9142621ab",
              "status": "affected",
              "version": "0832cd9f1f023226527e95002d537123061ddac4",
              "versionType": "git"
            },
            {
              "lessThan": "8fcc1e6f808912977caf17366c625b95dc29ba4f",
              "status": "affected",
              "version": "0832cd9f1f023226527e95002d537123061ddac4",
              "versionType": "git"
            },
            {
              "lessThan": "99c50c98803425378e08a7394dc885506dc85f06",
              "status": "affected",
              "version": "0832cd9f1f023226527e95002d537123061ddac4",
              "versionType": "git"
            },
            {
              "lessThan": "7afb5fb42d4950f33af2732b8147c552659f79b7",
              "status": "affected",
              "version": "0832cd9f1f023226527e95002d537123061ddac4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/dsa/dsa.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.18"
            },
            {
              "lessThan": "5.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: dsa: clean up FDB, MDB, VLAN entries on unbind\n\nAs explained in many places such as commit b117e1e8a86d (\"net: dsa:\ndelete dsa_legacy_fdb_add and dsa_legacy_fdb_del\"), DSA is written given\nthe assumption that higher layers have balanced additions/deletions.\nAs such, it only makes sense to be extremely vocal when those\nassumptions are violated and the driver unbinds with entries still\npresent.\n\nBut Ido Schimmel points out a very simple situation where that is wrong:\nhttps://lore.kernel.org/netdev/ZDazSM5UsPPjQuKr@shredder/\n(also briefly discussed by me in the aforementioned commit).\n\nBasically, while the bridge bypass operations are not something that DSA\nexplicitly documents, and for the majority of DSA drivers this API\nsimply causes them to go to promiscuous mode, that isn\u0027t the case for\nall drivers. Some have the necessary requirements for bridge bypass\noperations to do something useful - see dsa_switch_supports_uc_filtering().\n\nAlthough in tools/testing/selftests/net/forwarding/local_termination.sh,\nwe made an effort to popularize better mechanisms to manage address\nfilters on DSA interfaces from user space - namely macvlan for unicast,\nand setsockopt(IP_ADD_MEMBERSHIP) - through mtools - for multicast, the\nfact is that \u0027bridge fdb add ... self static local\u0027 also exists as\nkernel UAPI, and might be useful to someone, even if only for a quick\nhack.\n\nIt seems counter-productive to block that path by implementing shim\n.ndo_fdb_add and .ndo_fdb_del operations which just return -EOPNOTSUPP\nin order to prevent the ndo_dflt_fdb_add() and ndo_dflt_fdb_del() from\nrunning, although we could do that.\n\nAccepting that cleanup is necessary seems to be the only option.\nEspecially since we appear to be coming back at this from a different\nangle as well. Russell King is noticing that the WARN_ON() triggers even\nfor VLANs:\nhttps://lore.kernel.org/netdev/Z_li8Bj8bD4-BYKQ@shell.armlinux.org.uk/\n\nWhat happens in the bug report above is that dsa_port_do_vlan_del() fails,\nthen the VLAN entry lingers on, and then we warn on unbind and leak it.\n\nThis is not a straight revert of the blamed commit, but we now add an\ninformational print to the kernel log (to still have a way to see\nthat bugs exist), and some extra comments gathered from past years\u0027\nexperience, to justify the logic."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:34.722Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/86c6613a69bca815f1865ed8cedfd4b9142621ab"
        },
        {
          "url": "https://git.kernel.org/stable/c/8fcc1e6f808912977caf17366c625b95dc29ba4f"
        },
        {
          "url": "https://git.kernel.org/stable/c/99c50c98803425378e08a7394dc885506dc85f06"
        },
        {
          "url": "https://git.kernel.org/stable/c/7afb5fb42d4950f33af2732b8147c552659f79b7"
        }
      ],
      "title": "net: dsa: clean up FDB, MDB, VLAN entries on unbind",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37864",
    "datePublished": "2025-05-09T06:43:54.873Z",
    "dateReserved": "2025-04-16T04:51:23.958Z",
    "dateUpdated": "2025-05-26T05:22:34.722Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21830 (GCVE-0-2025-21830)

Vulnerability from cvelistv5 – Published: 2025-03-06 16:08 – Updated: 2025-11-03 21:00

Title

landlock: Handle weird files

Summary

In the Linux kernel, the following vulnerability has been resolved: landlock: Handle weird files A corrupted filesystem (e.g. bcachefs) might return weird files. Instead of throwing a warning and allowing access to such file, treat them as regular files.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a1fccf6b72b56343d…
	https://git.kernel.org/stable/c/7d6121228959ddf44…
	https://git.kernel.org/stable/c/39bb3d56f1c351e76…
	https://git.kernel.org/stable/c/2569e65d2eb6ac1af…
	https://git.kernel.org/stable/c/0fde195a373ab1267…
	https://git.kernel.org/stable/c/49440290a0935f428…

Impacted products

Vendor

Product

Version

Linux

Affected: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d , < a1fccf6b72b56343dd4f2d96b008147f9951eebd (git)
Affected: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d , < 7d6121228959ddf44a4b9b6a177384ac7854e2f9 (git)
Affected: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d , < 39bb3d56f1c351e76bb18895d0e73796e653d5c1 (git)
Affected: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d , < 2569e65d2eb6ac1afe6cb6dfae476afee8b6771a (git)
Affected: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d , < 0fde195a373ab1267e60baa9e1a703a97e7464cd (git)
Affected: cb2c7d1a1776057c9a1f48ed1250d85e94d4850d , < 49440290a0935f428a1e43a5ac8dc275a647ff80 (git)

Linux

Affected: 5.13
Unaffected: 0 , < 5.13 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T21:00:01.286Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "security/landlock/fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a1fccf6b72b56343dd4f2d96b008147f9951eebd",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "7d6121228959ddf44a4b9b6a177384ac7854e2f9",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "39bb3d56f1c351e76bb18895d0e73796e653d5c1",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "2569e65d2eb6ac1afe6cb6dfae476afee8b6771a",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "0fde195a373ab1267e60baa9e1a703a97e7464cd",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            },
            {
              "lessThan": "49440290a0935f428a1e43a5ac8dc275a647ff80",
              "status": "affected",
              "version": "cb2c7d1a1776057c9a1f48ed1250d85e94d4850d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "security/landlock/fs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.13"
            },
            {
              "lessThan": "5.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nlandlock: Handle weird files\n\nA corrupted filesystem (e.g. bcachefs) might return weird files.\nInstead of throwing a warning and allowing access to such file, treat\nthem as regular files."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:03.240Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a1fccf6b72b56343dd4f2d96b008147f9951eebd"
        },
        {
          "url": "https://git.kernel.org/stable/c/7d6121228959ddf44a4b9b6a177384ac7854e2f9"
        },
        {
          "url": "https://git.kernel.org/stable/c/39bb3d56f1c351e76bb18895d0e73796e653d5c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/2569e65d2eb6ac1afe6cb6dfae476afee8b6771a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fde195a373ab1267e60baa9e1a703a97e7464cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/49440290a0935f428a1e43a5ac8dc275a647ff80"
        }
      ],
      "title": "landlock: Handle weird files",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21830",
    "datePublished": "2025-03-06T16:08:09.894Z",
    "dateReserved": "2024-12-29T08:45:45.776Z",
    "dateUpdated": "2025-11-03T21:00:01.286Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21929 (GCVE-0-2025-21929)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-05-04 07:24

Title

HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()

Summary

In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove() During the `rmmod` operation for the `intel_ishtp_hid` driver, a use-after-free issue can occur in the hid_ishtp_cl_remove() function. The function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(), which can lead to accessing freed memory or resources during the removal process. Call Trace: ? ishtp_cl_send+0x168/0x220 [intel_ishtp] ? hid_output_report+0xe3/0x150 [hid] hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid] ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid] hid_hw_request+0x1f/0x40 [hid] sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub] _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger] hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger] sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub] hid_device_remove+0x49/0xb0 [hid] hid_destroy_device+0x6f/0x90 [hid] ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid] hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid] ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp] ... Additionally, ishtp_hid_remove() is a HID level power off, which should occur before the ISHTP level disconnect. This patch resolves the issue by reordering the calls in hid_ishtp_cl_remove(). The function ishtp_hid_remove() is now called before hid_ishtp_cl_deinit().

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9c677fe859a73f5dd…
	https://git.kernel.org/stable/c/e040f11fbca868c6d…
	https://git.kernel.org/stable/c/82398784142428933…

Impacted products

Vendor

Product

Version

Linux

Affected: f645a90e8ff732c48dd9f18815baef08c44ac8a0 , < 9c677fe859a73f5dd3dd84c27f99e10d28047c73 (git)
Affected: f645a90e8ff732c48dd9f18815baef08c44ac8a0 , < e040f11fbca868c6d151e9f2c5730c476abfcf17 (git)
Affected: f645a90e8ff732c48dd9f18815baef08c44ac8a0 , < 823987841424289339fdb4ba90e6d2c3792836db (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21929",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T13:14:59.850777Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T13:19:52.728Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-ish-hid/ishtp-hid-client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9c677fe859a73f5dd3dd84c27f99e10d28047c73",
              "status": "affected",
              "version": "f645a90e8ff732c48dd9f18815baef08c44ac8a0",
              "versionType": "git"
            },
            {
              "lessThan": "e040f11fbca868c6d151e9f2c5730c476abfcf17",
              "status": "affected",
              "version": "f645a90e8ff732c48dd9f18815baef08c44ac8a0",
              "versionType": "git"
            },
            {
              "lessThan": "823987841424289339fdb4ba90e6d2c3792836db",
              "status": "affected",
              "version": "f645a90e8ff732c48dd9f18815baef08c44ac8a0",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/hid/intel-ish-hid/ishtp-hid-client.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nHID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()\n\nDuring the `rmmod` operation for the `intel_ishtp_hid` driver, a\nuse-after-free issue can occur in the hid_ishtp_cl_remove() function.\nThe function hid_ishtp_cl_deinit() is called before ishtp_hid_remove(),\nwhich can lead to accessing freed memory or resources during the\nremoval process.\n\nCall Trace:\n ? ishtp_cl_send+0x168/0x220 [intel_ishtp]\n ? hid_output_report+0xe3/0x150 [hid]\n hid_ishtp_set_feature+0xb5/0x120 [intel_ishtp_hid]\n ishtp_hid_request+0x7b/0xb0 [intel_ishtp_hid]\n hid_hw_request+0x1f/0x40 [hid]\n sensor_hub_set_feature+0x11f/0x190 [hid_sensor_hub]\n _hid_sensor_power_state+0x147/0x1e0 [hid_sensor_trigger]\n hid_sensor_runtime_resume+0x22/0x30 [hid_sensor_trigger]\n sensor_hub_remove+0xa8/0xe0 [hid_sensor_hub]\n hid_device_remove+0x49/0xb0 [hid]\n hid_destroy_device+0x6f/0x90 [hid]\n ishtp_hid_remove+0x42/0x70 [intel_ishtp_hid]\n hid_ishtp_cl_remove+0x6b/0xb0 [intel_ishtp_hid]\n ishtp_cl_device_remove+0x4a/0x60 [intel_ishtp]\n ...\n\nAdditionally, ishtp_hid_remove() is a HID level power off, which should\noccur before the ISHTP level disconnect.\n\nThis patch resolves the issue by reordering the calls in\nhid_ishtp_cl_remove(). The function ishtp_hid_remove() is now\ncalled before hid_ishtp_cl_deinit()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:47.101Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9c677fe859a73f5dd3dd84c27f99e10d28047c73"
        },
        {
          "url": "https://git.kernel.org/stable/c/e040f11fbca868c6d151e9f2c5730c476abfcf17"
        },
        {
          "url": "https://git.kernel.org/stable/c/823987841424289339fdb4ba90e6d2c3792836db"
        }
      ],
      "title": "HID: intel-ish-hid: Fix use-after-free issue in hid_ishtp_cl_remove()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21929",
    "datePublished": "2025-04-01T15:40:59.761Z",
    "dateReserved": "2024-12-29T08:45:45.789Z",
    "dateUpdated": "2025-05-04T07:24:47.101Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57952 (GCVE-0-2024-57952)

Vulnerability from cvelistv5 – Published: 2025-02-12 13:52 – Updated: 2025-10-01 19:57

Title

Revert "libfs: fix infinite directory reads for offset dir"

Summary

In the Linux kernel, the following vulnerability has been resolved: Revert "libfs: fix infinite directory reads for offset dir" The current directory offset allocator (based on mtree_alloc_cyclic) stores the next offset value to return in octx->next_offset. This mechanism typically returns values that increase monotonically over time. Eventually, though, the newly allocated offset value wraps back to a low number (say, 2) which is smaller than other already- allocated offset values. Yu Kuai <yukuai3@huawei.com> reports that, after commit 64a7ce76fb90 ("libfs: fix infinite directory reads for offset dir"), if a directory's offset allocator wraps, existing entries are no longer visible via readdir/getdents because offset_readdir() stops listing entries once an entry's offset is larger than octx->next_offset. These entries vanish persistently -- they can be looked up, but will never again appear in readdir(3) output. The reason for this is that the commit treats directory offsets as monotonically increasing integer values rather than opaque cookies, and introduces this comparison: if (dentry2offset(dentry) >= last_index) { On 64-bit platforms, the directory offset value upper bound is 2^63 - 1. Directory offsets will monotonically increase for millions of years without wrapping. On 32-bit platforms, however, LONG_MAX is 2^31 - 1. The allocator can wrap after only a few weeks (at worst). Revert commit 64a7ce76fb90 ("libfs: fix infinite directory reads for offset dir") to prepare for a fix that can work properly on 32-bit systems and might apply to recent LTS kernels where shmem employs the simple_offset mechanism.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-noinfo Not enough information

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9e9e710f68bac49bd…
	https://git.kernel.org/stable/c/3f250b82040a72b00…
	https://git.kernel.org/stable/c/b662d858131da9a8a…

Impacted products

Vendor

Product

Version

Linux

Affected: 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a , < 9e9e710f68bac49bd9b587823c077d06363440e0 (git)
Affected: 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a , < 3f250b82040a72b0059ae00855a74d8570ad2147 (git)
Affected: 64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a , < b662d858131da9a8a14e68661656989b14dbf113 (git)
Affected: 308b4fc2403b335894592ee9dc212a5e58bb309f (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.12 , ≤ 6.12.* (semver)
Unaffected: 6.13.1 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-57952",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:51:08.146468Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "description": "CWE-noinfo Not enough information",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:09.380Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/libfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9e9e710f68bac49bd9b587823c077d06363440e0",
              "status": "affected",
              "version": "64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a",
              "versionType": "git"
            },
            {
              "lessThan": "3f250b82040a72b0059ae00855a74d8570ad2147",
              "status": "affected",
              "version": "64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a",
              "versionType": "git"
            },
            {
              "lessThan": "b662d858131da9a8a14e68661656989b14dbf113",
              "status": "affected",
              "version": "64a7ce76fb901bf9f9c36cf5d681328fc0fd4b5a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "308b4fc2403b335894592ee9dc212a5e58bb309f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/libfs.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.1",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.12",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.1",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nRevert \"libfs: fix infinite directory reads for offset dir\"\n\nThe current directory offset allocator (based on mtree_alloc_cyclic)\nstores the next offset value to return in octx-\u003enext_offset. This\nmechanism typically returns values that increase monotonically over\ntime. Eventually, though, the newly allocated offset value wraps\nback to a low number (say, 2) which is smaller than other already-\nallocated offset values.\n\nYu Kuai \u003cyukuai3@huawei.com\u003e reports that, after commit 64a7ce76fb90\n(\"libfs: fix infinite directory reads for offset dir\"), if a\ndirectory\u0027s offset allocator wraps, existing entries are no longer\nvisible via readdir/getdents because offset_readdir() stops listing\nentries once an entry\u0027s offset is larger than octx-\u003enext_offset.\nThese entries vanish persistently -- they can be looked up, but will\nnever again appear in readdir(3) output.\n\nThe reason for this is that the commit treats directory offsets as\nmonotonically increasing integer values rather than opaque cookies,\nand introduces this comparison:\n\n\tif (dentry2offset(dentry) \u003e= last_index) {\n\nOn 64-bit platforms, the directory offset value upper bound is\n2^63 - 1. Directory offsets will monotonically increase for millions\nof years without wrapping.\n\nOn 32-bit platforms, however, LONG_MAX is 2^31 - 1. The allocator\ncan wrap after only a few weeks (at worst).\n\nRevert commit 64a7ce76fb90 (\"libfs: fix infinite directory reads for\noffset dir\") to prepare for a fix that can work properly on 32-bit\nsystems and might apply to recent LTS kernels where shmem employs\nthe simple_offset mechanism."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:01:46.749Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9e9e710f68bac49bd9b587823c077d06363440e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/3f250b82040a72b0059ae00855a74d8570ad2147"
        },
        {
          "url": "https://git.kernel.org/stable/c/b662d858131da9a8a14e68661656989b14dbf113"
        }
      ],
      "title": "Revert \"libfs: fix infinite directory reads for offset dir\"",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57952",
    "datePublished": "2025-02-12T13:52:45.229Z",
    "dateReserved": "2025-01-19T11:50:08.381Z",
    "dateUpdated": "2025-10-01T19:57:09.380Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-57834 (GCVE-0-2024-57834)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 19:32

Title

media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread

Summary

In the Linux kernel, the following vulnerability has been resolved: media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread syzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1] If dvb->mux is not initialized successfully by vidtv_mux_init() in the vidtv_start_streaming(), it will trigger null pointer dereference about mux in vidtv_mux_stop_thread(). Adjust the timing of streaming initialization and check it before stopping it. [1] KASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f] CPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024 RIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471 Code: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8 RSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125 RDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128 RBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188 R13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710 FS: 00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline] vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252 dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000 dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486 dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559 dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline] dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246 __fput+0x3f8/0xb60 fs/file_table.c:450 task_work_run+0x14e/0x250 kernel/task_work.c:239 get_signal+0x1d3/0x2610 kernel/signal.c:2790 arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337 exit_to_user_mode_loop kernel/entry/common.c:111 [inline] exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline] __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline] syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218 do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89 entry_SYSCALL_64_after_hwframe+0x77/0x7f

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/52d3512f9a7a52ef9…
	https://git.kernel.org/stable/c/59a707ad952eb2ea8…
	https://git.kernel.org/stable/c/86307e443c5844f38…
	https://git.kernel.org/stable/c/2c5601b99d79d196f…
	https://git.kernel.org/stable/c/95432a37778c9c5dd…
	https://git.kernel.org/stable/c/904a8323cc8afa7eb…
	https://git.kernel.org/stable/c/1221989555db71157…

Impacted products

Vendor

Product

Version

Linux

Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 52d3512f9a7a52ef92864679b1e8e8aa16202c6a (git)
Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 59a707ad952eb2ea8d59457d662b6f4138f17b08 (git)
Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 86307e443c5844f38e1b98e2c51a4195c55576cd (git)
Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 2c5601b99d79d196fe4a37159e3dfb38e778ea18 (git)
Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 95432a37778c9c5dd105b7b9f19e9695c9e166cf (git)
Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 904a8323cc8afa7eb9ce3e67303a2b3f2f787306 (git)
Affected: f90cf6079bf67988f8b1ad1ade70fc89d0080905 , < 1221989555db711578a327a9367f1be46500cb48 (git)

Linux

Affected: 5.10
Unaffected: 0 , < 5.10 (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:32:45.160Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_bridge.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "52d3512f9a7a52ef92864679b1e8e8aa16202c6a",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "59a707ad952eb2ea8d59457d662b6f4138f17b08",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "86307e443c5844f38e1b98e2c51a4195c55576cd",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "2c5601b99d79d196fe4a37159e3dfb38e778ea18",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "95432a37778c9c5dd105b7b9f19e9695c9e166cf",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "904a8323cc8afa7eb9ce3e67303a2b3f2f787306",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            },
            {
              "lessThan": "1221989555db711578a327a9367f1be46500cb48",
              "status": "affected",
              "version": "f90cf6079bf67988f8b1ad1ade70fc89d0080905",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vidtv/vidtv_bridge.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.10"
            },
            {
              "lessThan": "5.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread\n\nsyzbot report a null-ptr-deref in vidtv_mux_stop_thread. [1]\n\nIf dvb-\u003emux is not initialized successfully by vidtv_mux_init() in the\nvidtv_start_streaming(), it will trigger null pointer dereference about mux\nin vidtv_mux_stop_thread().\n\nAdjust the timing of streaming initialization and check it before\nstopping it.\n\n[1]\nKASAN: null-ptr-deref in range [0x0000000000000128-0x000000000000012f]\nCPU: 0 UID: 0 PID: 5842 Comm: syz-executor248 Not tainted 6.13.0-rc4-syzkaller-00012-g9b2ffa6148b1 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024\nRIP: 0010:vidtv_mux_stop_thread+0x26/0x80 drivers/media/test-drivers/vidtv/vidtv_mux.c:471\nCode: 90 90 90 90 66 0f 1f 00 55 53 48 89 fb e8 82 2e c8 f9 48 8d bb 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 \u003c0f\u003e b6 04 02 84 c0 74 02 7e 3b 0f b6 ab 28 01 00 00 31 ff 89 ee e8\nRSP: 0018:ffffc90003f2faa8 EFLAGS: 00010202\nRAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87cfb125\nRDX: 0000000000000025 RSI: ffffffff87d120ce RDI: 0000000000000128\nRBP: ffff888029b8d220 R08: 0000000000000005 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000003 R12: ffff888029b8d188\nR13: ffffffff8f590aa0 R14: ffffc9000581c5c8 R15: ffff888029a17710\nFS:  00007f7eef5156c0(0000) GS:ffff8880b8600000(0000) knlGS:0000000000000000\nCS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\nCR2: 00007f7eef5e635c CR3: 0000000076ca6000 CR4: 00000000003526f0\nDR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000\nDR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400\nCall Trace:\n \u003cTASK\u003e\n vidtv_stop_streaming drivers/media/test-drivers/vidtv/vidtv_bridge.c:209 [inline]\n vidtv_stop_feed+0x151/0x250 drivers/media/test-drivers/vidtv/vidtv_bridge.c:252\n dmx_section_feed_stop_filtering+0x90/0x160 drivers/media/dvb-core/dvb_demux.c:1000\n dvb_dmxdev_feed_stop.isra.0+0x1ee/0x270 drivers/media/dvb-core/dmxdev.c:486\n dvb_dmxdev_filter_stop+0x22a/0x3a0 drivers/media/dvb-core/dmxdev.c:559\n dvb_dmxdev_filter_free drivers/media/dvb-core/dmxdev.c:840 [inline]\n dvb_demux_release+0x92/0x550 drivers/media/dvb-core/dmxdev.c:1246\n __fput+0x3f8/0xb60 fs/file_table.c:450\n task_work_run+0x14e/0x250 kernel/task_work.c:239\n get_signal+0x1d3/0x2610 kernel/signal.c:2790\n arch_do_signal_or_restart+0x90/0x7e0 arch/x86/kernel/signal.c:337\n exit_to_user_mode_loop kernel/entry/common.c:111 [inline]\n exit_to_user_mode_prepare include/linux/entry-common.h:329 [inline]\n __syscall_exit_to_user_mode_work kernel/entry/common.c:207 [inline]\n syscall_exit_to_user_mode+0x150/0x2a0 kernel/entry/common.c:218\n do_syscall_64+0xda/0x250 arch/x86/entry/common.c:89\n entry_SYSCALL_64_after_hwframe+0x77/0x7f"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:05:18.306Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/52d3512f9a7a52ef92864679b1e8e8aa16202c6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/59a707ad952eb2ea8d59457d662b6f4138f17b08"
        },
        {
          "url": "https://git.kernel.org/stable/c/86307e443c5844f38e1b98e2c51a4195c55576cd"
        },
        {
          "url": "https://git.kernel.org/stable/c/2c5601b99d79d196fe4a37159e3dfb38e778ea18"
        },
        {
          "url": "https://git.kernel.org/stable/c/95432a37778c9c5dd105b7b9f19e9695c9e166cf"
        },
        {
          "url": "https://git.kernel.org/stable/c/904a8323cc8afa7eb9ce3e67303a2b3f2f787306"
        },
        {
          "url": "https://git.kernel.org/stable/c/1221989555db711578a327a9367f1be46500cb48"
        }
      ],
      "title": "media: vidtv: Fix a null-ptr-deref in vidtv_mux_stop_thread",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-57834",
    "datePublished": "2025-02-27T02:18:09.085Z",
    "dateReserved": "2025-02-27T02:16:34.111Z",
    "dateUpdated": "2025-11-03T19:32:45.160Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21665 (GCVE-0-2025-21665)

Vulnerability from cvelistv5 – Published: 2025-01-31 11:25 – Updated: 2025-11-03 20:58

Title

filemap: avoid truncating 64-bit offset to 32 bits

Summary

In the Linux kernel, the following vulnerability has been resolved: filemap: avoid truncating 64-bit offset to 32 bits On 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a 64-bit value to 32 bits, leading to a possible infinite loop when writing to an xfs filesystem.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/64e5fd96330df2ad2…
	https://git.kernel.org/stable/c/80fc836f3ebe2f2d2…
	https://git.kernel.org/stable/c/09528bb1a4123e2a2…
	https://git.kernel.org/stable/c/280f1fb89afc01e73…
	https://git.kernel.org/stable/c/f505e6c91e7a22d10…

Impacted products

Vendor

Product

Version

Linux

Affected: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d , < 64e5fd96330df2ad278d1c4edcca581f26e5f76e (git)
Affected: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d , < 80fc836f3ebe2f2d2d2c80c698b7667974285a04 (git)
Affected: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d , < 09528bb1a4123e2a234eac2bc45a0e51e78dab43 (git)
Affected: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d , < 280f1fb89afc01e7376f59ae611d54ca69e9f967 (git)
Affected: 54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d , < f505e6c91e7a22d10316665a86d79f84d9f0ba76 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.15.177 , ≤ 5.15.* (semver)
Unaffected: 6.1.127 , ≤ 6.1.* (semver)
Unaffected: 6.6.74 , ≤ 6.6.* (semver)
Unaffected: 6.12.11 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21665",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:27.434323Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-835",
                "description": "CWE-835 Loop with Unreachable Exit Condition (\u0027Infinite Loop\u0027)",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:12.855Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:58:41.781Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/filemap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "64e5fd96330df2ad278d1c4edcca581f26e5f76e",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            },
            {
              "lessThan": "80fc836f3ebe2f2d2d2c80c698b7667974285a04",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            },
            {
              "lessThan": "09528bb1a4123e2a234eac2bc45a0e51e78dab43",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            },
            {
              "lessThan": "280f1fb89afc01e7376f59ae611d54ca69e9f967",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            },
            {
              "lessThan": "f505e6c91e7a22d10316665a86d79f84d9f0ba76",
              "status": "affected",
              "version": "54fa39ac2e00b1b8c2a7fe72e648773ffa48f76d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/filemap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.177",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.127",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.177",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.127",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nfilemap: avoid truncating 64-bit offset to 32 bits\n\nOn 32-bit kernels, folio_seek_hole_data() was inadvertently truncating a\n64-bit value to 32 bits, leading to a possible infinite loop when writing\nto an xfs filesystem."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:18:31.947Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/64e5fd96330df2ad278d1c4edcca581f26e5f76e"
        },
        {
          "url": "https://git.kernel.org/stable/c/80fc836f3ebe2f2d2d2c80c698b7667974285a04"
        },
        {
          "url": "https://git.kernel.org/stable/c/09528bb1a4123e2a234eac2bc45a0e51e78dab43"
        },
        {
          "url": "https://git.kernel.org/stable/c/280f1fb89afc01e7376f59ae611d54ca69e9f967"
        },
        {
          "url": "https://git.kernel.org/stable/c/f505e6c91e7a22d10316665a86d79f84d9f0ba76"
        }
      ],
      "title": "filemap: avoid truncating 64-bit offset to 32 bits",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21665",
    "datePublished": "2025-01-31T11:25:30.468Z",
    "dateReserved": "2024-12-29T08:45:45.733Z",
    "dateUpdated": "2025-11-03T20:58:41.781Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22030 (GCVE-0-2025-22030)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-05-26 05:16

Title

mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()

Summary

In the Linux kernel, the following vulnerability has been resolved: mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead() Currently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding the per-CPU acomp_ctx mutex. crypto_free_acomp() then holds scomp_lock (through crypto_exit_scomp_ops_async()). On the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through crypto_scomp_init_tfm()), and then allocates memory. If the allocation results in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex. The above dependencies can cause an ABBA deadlock. For example in the following scenario: (1) Task A running on CPU #1: crypto_alloc_acomp_node() Holds scomp_lock Enters reclaim Reads per_cpu_ptr(pool->acomp_ctx, 1) (2) Task A is descheduled (3) CPU #1 goes offline zswap_cpu_comp_dead(CPU #1) Holds per_cpu_ptr(pool->acomp_ctx, 1)) Calls crypto_free_acomp() Waits for scomp_lock (4) Task A running on CPU #2: Waits for per_cpu_ptr(pool->acomp_ctx, 1) // Read on CPU #1 DEADLOCK Since there is no requirement to call crypto_free_acomp() with the per-CPU acomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is unlocked. Also move the acomp_request_free() and kfree() calls for consistency and to avoid any potential sublte locking dependencies in the future. With this, only setting acomp_ctx fields to NULL occurs with the mutex held. This is similar to how zswap_cpu_comp_prepare() only initializes acomp_ctx fields with the mutex held, after performing all allocations before holding the mutex. Opportunistically, move the NULL check on acomp_ctx so that it takes place before the mutex dereference.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/747e3eec1d7d124ea…
	https://git.kernel.org/stable/c/a8d18000e9d2d97aa…
	https://git.kernel.org/stable/c/717d9c35deff6c332…
	https://git.kernel.org/stable/c/c11bcbc0a517acf69…

Impacted products

Vendor

Product

Version

Linux

Affected: 8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1 , < 747e3eec1d7d124ea90ed3d7b85369df8b4e36d2 (git)
Affected: 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 , < a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96 (git)
Affected: 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 , < 717d9c35deff6c33235693171bacbb03e9643fa4 (git)
Affected: 12dcb0ef540629a281533f9dedc1b6b8e14cfb65 , < c11bcbc0a517acf69282c8225059b2a8ac5fe628 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/zswap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "747e3eec1d7d124ea90ed3d7b85369df8b4e36d2",
              "status": "affected",
              "version": "8d29ff5d50304daa41dc3cfdda4a9d1e46cf5be1",
              "versionType": "git"
            },
            {
              "lessThan": "a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96",
              "status": "affected",
              "version": "12dcb0ef540629a281533f9dedc1b6b8e14cfb65",
              "versionType": "git"
            },
            {
              "lessThan": "717d9c35deff6c33235693171bacbb03e9643fa4",
              "status": "affected",
              "version": "12dcb0ef540629a281533f9dedc1b6b8e14cfb65",
              "versionType": "git"
            },
            {
              "lessThan": "c11bcbc0a517acf69282c8225059b2a8ac5fe628",
              "status": "affected",
              "version": "12dcb0ef540629a281533f9dedc1b6b8e14cfb65",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/zswap.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.12.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()\n\nCurrently, zswap_cpu_comp_dead() calls crypto_free_acomp() while holding\nthe per-CPU acomp_ctx mutex.  crypto_free_acomp() then holds scomp_lock\n(through crypto_exit_scomp_ops_async()).\n\nOn the other hand, crypto_alloc_acomp_node() holds the scomp_lock (through\ncrypto_scomp_init_tfm()), and then allocates memory.  If the allocation\nresults in reclaim, we may attempt to hold the per-CPU acomp_ctx mutex.\n\nThe above dependencies can cause an ABBA deadlock.  For example in the\nfollowing scenario:\n\n(1) Task A running on CPU #1:\n    crypto_alloc_acomp_node()\n      Holds scomp_lock\n      Enters reclaim\n      Reads per_cpu_ptr(pool-\u003eacomp_ctx, 1)\n\n(2) Task A is descheduled\n\n(3) CPU #1 goes offline\n    zswap_cpu_comp_dead(CPU #1)\n      Holds per_cpu_ptr(pool-\u003eacomp_ctx, 1))\n      Calls crypto_free_acomp()\n      Waits for scomp_lock\n\n(4) Task A running on CPU #2:\n      Waits for per_cpu_ptr(pool-\u003eacomp_ctx, 1) // Read on CPU #1\n      DEADLOCK\n\nSince there is no requirement to call crypto_free_acomp() with the per-CPU\nacomp_ctx mutex held in zswap_cpu_comp_dead(), move it after the mutex is\nunlocked.  Also move the acomp_request_free() and kfree() calls for\nconsistency and to avoid any potential sublte locking dependencies in the\nfuture.\n\nWith this, only setting acomp_ctx fields to NULL occurs with the mutex\nheld.  This is similar to how zswap_cpu_comp_prepare() only initializes\nacomp_ctx fields with the mutex held, after performing all allocations\nbefore holding the mutex.\n\nOpportunistically, move the NULL check on acomp_ctx so that it takes place\nbefore the mutex dereference."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:16:57.089Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/747e3eec1d7d124ea90ed3d7b85369df8b4e36d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/a8d18000e9d2d97aaf105f5f9b3b0e8a6fbf8b96"
        },
        {
          "url": "https://git.kernel.org/stable/c/717d9c35deff6c33235693171bacbb03e9643fa4"
        },
        {
          "url": "https://git.kernel.org/stable/c/c11bcbc0a517acf69282c8225059b2a8ac5fe628"
        }
      ],
      "title": "mm: zswap: fix crypto_free_acomp() deadlock in zswap_cpu_comp_dead()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22030",
    "datePublished": "2025-04-16T14:11:50.625Z",
    "dateReserved": "2024-12-29T08:45:45.808Z",
    "dateUpdated": "2025-05-26T05:16:57.089Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22121 (GCVE-0-2025-22121)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2026-01-19 12:17

Title

ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()

Summary

In the Linux kernel, the following vulnerability has been resolved: ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all() There's issue as follows: BUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790 Read of size 4 at addr ffff88807b003000 by task syz-executor.0/15172 CPU: 3 PID: 15172 Comm: syz-executor.0 Call Trace: __dump_stack lib/dump_stack.c:82 [inline] dump_stack+0xbe/0xfd lib/dump_stack.c:123 print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400 __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560 kasan_report+0x3a/0x50 mm/kasan/report.c:585 ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137 ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896 ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323 evict+0x39f/0x880 fs/inode.c:622 iput_final fs/inode.c:1746 [inline] iput fs/inode.c:1772 [inline] iput+0x525/0x6c0 fs/inode.c:1758 ext4_orphan_cleanup fs/ext4/super.c:3298 [inline] ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300 mount_bdev+0x355/0x410 fs/super.c:1446 legacy_get_tree+0xfe/0x220 fs/fs_context.c:611 vfs_get_tree+0x8d/0x2f0 fs/super.c:1576 do_new_mount fs/namespace.c:2983 [inline] path_mount+0x119a/0x1ad0 fs/namespace.c:3316 do_mount+0xfc/0x110 fs/namespace.c:3329 __do_sys_mount fs/namespace.c:3540 [inline] __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514 do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x67/0xd1 Memory state around the buggy address: ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Above issue happens as ext4_xattr_delete_inode() isn't check xattr is valid if xattr is in inode. To solve above issue call xattr_check_inode() check if xattr if valid in inode. In fact, we can directly verify in ext4_iget_extra_inode(), so that there is no divergent verification.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/27202452b0bc942fd…
	https://git.kernel.org/stable/c/b374e9ecc92aaa7fb…
	https://git.kernel.org/stable/c/c000a8a9b5343a5ef…
	https://git.kernel.org/stable/c/3c591353956ffcace…
	https://git.kernel.org/stable/c/098927a13fd918bd7…
	https://git.kernel.org/stable/c/0c8fbb6ffb3c8f516…
	https://git.kernel.org/stable/c/5701875f9609b000d…

Impacted products

Vendor

Product

Version

Linux

Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 27202452b0bc942fdc3db72a44c4dcdab96d5b56 (git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < b374e9ecc92aaa7fb2ab221ee3ff5451118ab566 (git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < c000a8a9b5343a5ef867df173c6349672dacbd0f (git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 3c591353956ffcace2cc74d09930774afed60619 (git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 098927a13fd918bd7c64c2de905350a1ad7b4a3a (git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8 (git)
Affected: e50e5129f384ae282adebfb561189cdb19b81cee , < 5701875f9609b000d91351eaa6bfd97fe2f157f4 (git)

Linux

Affected: 4.13
Unaffected: 0 , < 4.13 (semver)
Unaffected: 5.10.248 , ≤ 5.10.* (semver)
Unaffected: 5.15.198 , ≤ 5.15.* (semver)
Unaffected: 6.1.161 , ≤ 6.1.* (semver)
Unaffected: 6.6.120 , ≤ 6.6.* (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c",
            "fs/ext4/xattr.c",
            "fs/ext4/xattr.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "27202452b0bc942fdc3db72a44c4dcdab96d5b56",
              "status": "affected",
              "version": "e50e5129f384ae282adebfb561189cdb19b81cee",
              "versionType": "git"
            },
            {
              "lessThan": "b374e9ecc92aaa7fb2ab221ee3ff5451118ab566",
              "status": "affected",
              "version": "e50e5129f384ae282adebfb561189cdb19b81cee",
              "versionType": "git"
            },
            {
              "lessThan": "c000a8a9b5343a5ef867df173c6349672dacbd0f",
              "status": "affected",
              "version": "e50e5129f384ae282adebfb561189cdb19b81cee",
              "versionType": "git"
            },
            {
              "lessThan": "3c591353956ffcace2cc74d09930774afed60619",
              "status": "affected",
              "version": "e50e5129f384ae282adebfb561189cdb19b81cee",
              "versionType": "git"
            },
            {
              "lessThan": "098927a13fd918bd7c64c2de905350a1ad7b4a3a",
              "status": "affected",
              "version": "e50e5129f384ae282adebfb561189cdb19b81cee",
              "versionType": "git"
            },
            {
              "lessThan": "0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8",
              "status": "affected",
              "version": "e50e5129f384ae282adebfb561189cdb19b81cee",
              "versionType": "git"
            },
            {
              "lessThan": "5701875f9609b000d91351eaa6bfd97fe2f157f4",
              "status": "affected",
              "version": "e50e5129f384ae282adebfb561189cdb19b81cee",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ext4/inode.c",
            "fs/ext4/xattr.c",
            "fs/ext4/xattr.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.13"
            },
            {
              "lessThan": "4.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.248",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.198",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.161",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.120",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.248",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.198",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.161",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.120",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\next4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()\n\nThere\u0027s issue as follows:\nBUG: KASAN: use-after-free in ext4_xattr_inode_dec_ref_all+0x6ff/0x790\nRead of size 4 at addr ffff88807b003000 by task syz-executor.0/15172\n\nCPU: 3 PID: 15172 Comm: syz-executor.0\nCall Trace:\n __dump_stack lib/dump_stack.c:82 [inline]\n dump_stack+0xbe/0xfd lib/dump_stack.c:123\n print_address_description.constprop.0+0x1e/0x280 mm/kasan/report.c:400\n __kasan_report.cold+0x6c/0x84 mm/kasan/report.c:560\n kasan_report+0x3a/0x50 mm/kasan/report.c:585\n ext4_xattr_inode_dec_ref_all+0x6ff/0x790 fs/ext4/xattr.c:1137\n ext4_xattr_delete_inode+0x4c7/0xda0 fs/ext4/xattr.c:2896\n ext4_evict_inode+0xb3b/0x1670 fs/ext4/inode.c:323\n evict+0x39f/0x880 fs/inode.c:622\n iput_final fs/inode.c:1746 [inline]\n iput fs/inode.c:1772 [inline]\n iput+0x525/0x6c0 fs/inode.c:1758\n ext4_orphan_cleanup fs/ext4/super.c:3298 [inline]\n ext4_fill_super+0x8c57/0xba40 fs/ext4/super.c:5300\n mount_bdev+0x355/0x410 fs/super.c:1446\n legacy_get_tree+0xfe/0x220 fs/fs_context.c:611\n vfs_get_tree+0x8d/0x2f0 fs/super.c:1576\n do_new_mount fs/namespace.c:2983 [inline]\n path_mount+0x119a/0x1ad0 fs/namespace.c:3316\n do_mount+0xfc/0x110 fs/namespace.c:3329\n __do_sys_mount fs/namespace.c:3540 [inline]\n __se_sys_mount+0x219/0x2e0 fs/namespace.c:3514\n do_syscall_64+0x33/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x67/0xd1\n\nMemory state around the buggy address:\n ffff88807b002f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n ffff88807b002f80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n\u003effff88807b003000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n                   ^\n ffff88807b003080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n ffff88807b003100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff\n\nAbove issue happens as ext4_xattr_delete_inode() isn\u0027t check xattr\nis valid if xattr is in inode.\nTo solve above issue call xattr_check_inode() check if xattr if valid\nin inode. In fact, we can directly verify in ext4_iget_extra_inode(),\nso that there is no divergent verification."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-19T12:17:55.783Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/27202452b0bc942fdc3db72a44c4dcdab96d5b56"
        },
        {
          "url": "https://git.kernel.org/stable/c/b374e9ecc92aaa7fb2ab221ee3ff5451118ab566"
        },
        {
          "url": "https://git.kernel.org/stable/c/c000a8a9b5343a5ef867df173c6349672dacbd0f"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c591353956ffcace2cc74d09930774afed60619"
        },
        {
          "url": "https://git.kernel.org/stable/c/098927a13fd918bd7c64c2de905350a1ad7b4a3a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0c8fbb6ffb3c8f5164572ca88e4ccb6cd6a41ca8"
        },
        {
          "url": "https://git.kernel.org/stable/c/5701875f9609b000d91351eaa6bfd97fe2f157f4"
        }
      ],
      "title": "ext4: fix out-of-bound read in ext4_xattr_inode_dec_ref_all()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22121",
    "datePublished": "2025-04-16T14:13:05.894Z",
    "dateReserved": "2024-12-29T08:45:45.823Z",
    "dateUpdated": "2026-01-19T12:17:55.783Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37876 (GCVE-0-2025-37876)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:45 – Updated: 2025-05-26 05:22

Title

netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS

Summary

In the Linux kernel, the following vulnerability has been resolved: netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS When testing a special config: CONFIG_NETFS_SUPPORTS=y CONFIG_PROC_FS=n The system crashes with something like: [ 3.766197] ------------[ cut here ]------------ [ 3.766484] kernel BUG at mm/mempool.c:560! [ 3.766789] Oops: invalid opcode: 0000 [#1] SMP NOPTI [ 3.767123] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G W [ 3.767777] Tainted: [W]=WARN [ 3.767968] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), [ 3.768523] RIP: 0010:mempool_alloc_slab.cold+0x17/0x19 [ 3.768847] Code: 50 fe ff 58 5b 5d 41 5c 41 5d 41 5e 41 5f e9 93 95 13 00 [ 3.769977] RSP: 0018:ffffc90000013998 EFLAGS: 00010286 [ 3.770315] RAX: 000000000000002f RBX: ffff888100ba8640 RCX: 0000000000000000 [ 3.770749] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 00000000ffffffff [ 3.771217] RBP: 0000000000092880 R08: 0000000000000000 R09: ffffc90000013828 [ 3.771664] R10: 0000000000000001 R11: 00000000ffffffea R12: 0000000000092cc0 [ 3.772117] R13: 0000000000000400 R14: ffff8881004b1620 R15: ffffea0004ef7e40 [ 3.772554] FS: 0000000000000000(0000) GS:ffff8881b5f3c000(0000) knlGS:0000000000000000 [ 3.773061] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 3.773443] CR2: ffffffff830901b4 CR3: 0000000004296001 CR4: 0000000000770ef0 [ 3.773884] PKRU: 55555554 [ 3.774058] Call Trace: [ 3.774232] <TASK> [ 3.774371] mempool_alloc_noprof+0x6a/0x190 [ 3.774649] ? _printk+0x57/0x80 [ 3.774862] netfs_alloc_request+0x85/0x2ce [ 3.775147] netfs_readahead+0x28/0x170 [ 3.775395] read_pages+0x6c/0x350 [ 3.775623] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.775928] page_cache_ra_unbounded+0x1bd/0x2a0 [ 3.776247] filemap_get_pages+0x139/0x970 [ 3.776510] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.776820] filemap_read+0xf9/0x580 [ 3.777054] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.777368] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.777674] ? find_held_lock+0x32/0x90 [ 3.777929] ? netfs_start_io_read+0x19/0x70 [ 3.778221] ? netfs_start_io_read+0x19/0x70 [ 3.778489] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.778800] ? lock_acquired+0x1e6/0x450 [ 3.779054] ? srso_alias_return_thunk+0x5/0xfbef5 [ 3.779379] netfs_buffered_read_iter+0x57/0x80 [ 3.779670] __kernel_read+0x158/0x2c0 [ 3.779927] bprm_execve+0x300/0x7a0 [ 3.780185] kernel_execve+0x10c/0x140 [ 3.780423] ? __pfx_kernel_init+0x10/0x10 [ 3.780690] kernel_init+0xd5/0x150 [ 3.780910] ret_from_fork+0x2d/0x50 [ 3.781156] ? __pfx_kernel_init+0x10/0x10 [ 3.781414] ret_from_fork_asm+0x1a/0x30 [ 3.781677] </TASK> [ 3.781823] Modules linked in: [ 3.782065] ---[ end trace 0000000000000000 ]--- This is caused by the following error path in netfs_init(): if (!proc_mkdir("fs/netfs", NULL)) goto error_proc; Fix this by adding ifdef in netfs_main(), so that /proc/fs/netfs is only created with CONFIG_PROC_FS.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/2ef6eea2efce01d19…
	https://git.kernel.org/stable/c/6c4c5e0b96a90f2a1…
	https://git.kernel.org/stable/c/40cb48eba3b4b79e1…

Impacted products

Vendor

Product

Version

Linux

Affected: 7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab , < 2ef6eea2efce01d1956ace483216f6b6e26330c9 (git)
Affected: 7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab , < 6c4c5e0b96a90f2a11c378e66edc1f25165e10b6 (git)
Affected: 7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab , < 40cb48eba3b4b79e110c1a35d33a48cac54507a2 (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "2ef6eea2efce01d1956ace483216f6b6e26330c9",
              "status": "affected",
              "version": "7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab",
              "versionType": "git"
            },
            {
              "lessThan": "6c4c5e0b96a90f2a11c378e66edc1f25165e10b6",
              "status": "affected",
              "version": "7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab",
              "versionType": "git"
            },
            {
              "lessThan": "40cb48eba3b4b79e110c1a35d33a48cac54507a2",
              "status": "affected",
              "version": "7eb5b3e3a0a55f2d166ca949ef47ca6e0c704aab",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/netfs/main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnetfs: Only create /proc/fs/netfs with CONFIG_PROC_FS\n\nWhen testing a special config:\n\nCONFIG_NETFS_SUPPORTS=y\nCONFIG_PROC_FS=n\n\nThe system crashes with something like:\n\n[    3.766197] ------------[ cut here ]------------\n[    3.766484] kernel BUG at mm/mempool.c:560!\n[    3.766789] Oops: invalid opcode: 0000 [#1] SMP NOPTI\n[    3.767123] CPU: 0 UID: 0 PID: 1 Comm: swapper/0 Tainted: G        W\n[    3.767777] Tainted: [W]=WARN\n[    3.767968] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),\n[    3.768523] RIP: 0010:mempool_alloc_slab.cold+0x17/0x19\n[    3.768847] Code: 50 fe ff 58 5b 5d 41 5c 41 5d 41 5e 41 5f e9 93 95 13 00\n[    3.769977] RSP: 0018:ffffc90000013998 EFLAGS: 00010286\n[    3.770315] RAX: 000000000000002f RBX: ffff888100ba8640 RCX: 0000000000000000\n[    3.770749] RDX: 0000000000000000 RSI: 0000000000000003 RDI: 00000000ffffffff\n[    3.771217] RBP: 0000000000092880 R08: 0000000000000000 R09: ffffc90000013828\n[    3.771664] R10: 0000000000000001 R11: 00000000ffffffea R12: 0000000000092cc0\n[    3.772117] R13: 0000000000000400 R14: ffff8881004b1620 R15: ffffea0004ef7e40\n[    3.772554] FS:  0000000000000000(0000) GS:ffff8881b5f3c000(0000) knlGS:0000000000000000\n[    3.773061] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[    3.773443] CR2: ffffffff830901b4 CR3: 0000000004296001 CR4: 0000000000770ef0\n[    3.773884] PKRU: 55555554\n[    3.774058] Call Trace:\n[    3.774232]  \u003cTASK\u003e\n[    3.774371]  mempool_alloc_noprof+0x6a/0x190\n[    3.774649]  ? _printk+0x57/0x80\n[    3.774862]  netfs_alloc_request+0x85/0x2ce\n[    3.775147]  netfs_readahead+0x28/0x170\n[    3.775395]  read_pages+0x6c/0x350\n[    3.775623]  ? srso_alias_return_thunk+0x5/0xfbef5\n[    3.775928]  page_cache_ra_unbounded+0x1bd/0x2a0\n[    3.776247]  filemap_get_pages+0x139/0x970\n[    3.776510]  ? srso_alias_return_thunk+0x5/0xfbef5\n[    3.776820]  filemap_read+0xf9/0x580\n[    3.777054]  ? srso_alias_return_thunk+0x5/0xfbef5\n[    3.777368]  ? srso_alias_return_thunk+0x5/0xfbef5\n[    3.777674]  ? find_held_lock+0x32/0x90\n[    3.777929]  ? netfs_start_io_read+0x19/0x70\n[    3.778221]  ? netfs_start_io_read+0x19/0x70\n[    3.778489]  ? srso_alias_return_thunk+0x5/0xfbef5\n[    3.778800]  ? lock_acquired+0x1e6/0x450\n[    3.779054]  ? srso_alias_return_thunk+0x5/0xfbef5\n[    3.779379]  netfs_buffered_read_iter+0x57/0x80\n[    3.779670]  __kernel_read+0x158/0x2c0\n[    3.779927]  bprm_execve+0x300/0x7a0\n[    3.780185]  kernel_execve+0x10c/0x140\n[    3.780423]  ? __pfx_kernel_init+0x10/0x10\n[    3.780690]  kernel_init+0xd5/0x150\n[    3.780910]  ret_from_fork+0x2d/0x50\n[    3.781156]  ? __pfx_kernel_init+0x10/0x10\n[    3.781414]  ret_from_fork_asm+0x1a/0x30\n[    3.781677]  \u003c/TASK\u003e\n[    3.781823] Modules linked in:\n[    3.782065] ---[ end trace 0000000000000000 ]---\n\nThis is caused by the following error path in netfs_init():\n\n        if (!proc_mkdir(\"fs/netfs\", NULL))\n                goto error_proc;\n\nFix this by adding ifdef in netfs_main(), so that /proc/fs/netfs is only\ncreated with CONFIG_PROC_FS."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:50.030Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/2ef6eea2efce01d1956ace483216f6b6e26330c9"
        },
        {
          "url": "https://git.kernel.org/stable/c/6c4c5e0b96a90f2a11c378e66edc1f25165e10b6"
        },
        {
          "url": "https://git.kernel.org/stable/c/40cb48eba3b4b79e110c1a35d33a48cac54507a2"
        }
      ],
      "title": "netfs: Only create /proc/fs/netfs with CONFIG_PROC_FS",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37876",
    "datePublished": "2025-05-09T06:45:40.934Z",
    "dateReserved": "2025-04-16T04:51:23.960Z",
    "dateUpdated": "2025-05-26T05:22:50.030Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58090 (GCVE-0-2024-58090)

Vulnerability from cvelistv5 – Published: 2025-03-27 14:57 – Updated: 2026-01-05 10:56

Title

sched/core: Prevent rescheduling when interrupts are disabled

Summary

In the Linux kernel, the following vulnerability has been resolved: sched/core: Prevent rescheduling when interrupts are disabled David reported a warning observed while loop testing kexec jump: Interrupts enabled after irqrouter_resume+0x0/0x50 WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220 kernel_kexec+0xf6/0x180 __do_sys_reboot+0x206/0x250 do_syscall_64+0x95/0x180 The corresponding interrupt flag trace: hardirqs last enabled at (15573): [<ffffffffa8281b8e>] __up_console_sem+0x7e/0x90 hardirqs last disabled at (15580): [<ffffffffa8281b73>] __up_console_sem+0x63/0x90 That means __up_console_sem() was invoked with interrupts enabled. Further instrumentation revealed that in the interrupt disabled section of kexec jump one of the syscore_suspend() callbacks woke up a task, which set the NEED_RESCHED flag. A later callback in the resume path invoked cond_resched() which in turn led to the invocation of the scheduler: __cond_resched+0x21/0x60 down_timeout+0x18/0x60 acpi_os_wait_semaphore+0x4c/0x80 acpi_ut_acquire_mutex+0x3d/0x100 acpi_ns_get_node+0x27/0x60 acpi_ns_evaluate+0x1cb/0x2d0 acpi_rs_set_srs_method_data+0x156/0x190 acpi_pci_link_set+0x11c/0x290 irqrouter_resume+0x54/0x60 syscore_resume+0x6a/0x200 kernel_kexec+0x145/0x1c0 __do_sys_reboot+0xeb/0x240 do_syscall_64+0x95/0x180 This is a long standing problem, which probably got more visible with the recent printk changes. Something does a task wakeup and the scheduler sets the NEED_RESCHED flag. cond_resched() sees it set and invokes schedule() from a completely bogus context. The scheduler enables interrupts after context switching, which causes the above warning at the end. Quite some of the code paths in syscore_suspend()/resume() can result in triggering a wakeup with the exactly same consequences. They might not have done so yet, but as they share a lot of code with normal operations it's just a question of time. The problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling models. Full preemption is not affected as cond_resched() is disabled and the preemption check preemptible() takes the interrupt disabled flag into account. Cure the problem by adding a corresponding check into cond_resched().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/321794b75ac968f0b…
	https://git.kernel.org/stable/c/1651f5731b3786165…
	https://git.kernel.org/stable/c/288fdb8dcb71ec77b…
	https://git.kernel.org/stable/c/84586322e010164ee…
	https://git.kernel.org/stable/c/68786ab0935ccd572…
	https://git.kernel.org/stable/c/0362847c520747b44…
	https://git.kernel.org/stable/c/b927c8539f692fb1f…
	https://git.kernel.org/stable/c/82c387ef7568c0d96…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 321794b75ac968f0bb6b9c913581949452a8d992 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 1651f5731b378616565534eb9cda30e258cebebc (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 288fdb8dcb71ec77b76ab8b8a06bc10f595ea504 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 84586322e010164eedddfcd0a0894206ae7d9317 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 68786ab0935ccd5721283b7eb7f4d2f2942c7a52 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0362847c520747b44b574d363705d8af0621727a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < b927c8539f692fb1f9c2f42e6c8ea2d94956f921 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 82c387ef7568c0d96a918a5a78d9cad6256cfa15 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.81 , ≤ 6.6.* (semver)
Unaffected: 6.12.18 , ≤ 6.12.* (semver)
Unaffected: 6.13.6 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:34:24.381Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "321794b75ac968f0bb6b9c913581949452a8d992",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "1651f5731b378616565534eb9cda30e258cebebc",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "288fdb8dcb71ec77b76ab8b8a06bc10f595ea504",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "84586322e010164eedddfcd0a0894206ae7d9317",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "68786ab0935ccd5721283b7eb7f4d2f2942c7a52",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0362847c520747b44b574d363705d8af0621727a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "b927c8539f692fb1f9c2f42e6c8ea2d94956f921",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "82c387ef7568c0d96a918a5a78d9cad6256cfa15",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/sched/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.81",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.18",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.6",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.81",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.18",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.6",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsched/core: Prevent rescheduling when interrupts are disabled\n\nDavid reported a warning observed while loop testing kexec jump:\n\n  Interrupts enabled after irqrouter_resume+0x0/0x50\n  WARNING: CPU: 0 PID: 560 at drivers/base/syscore.c:103 syscore_resume+0x18a/0x220\n   kernel_kexec+0xf6/0x180\n   __do_sys_reboot+0x206/0x250\n   do_syscall_64+0x95/0x180\n\nThe corresponding interrupt flag trace:\n\n  hardirqs last  enabled at (15573): [\u003cffffffffa8281b8e\u003e] __up_console_sem+0x7e/0x90\n  hardirqs last disabled at (15580): [\u003cffffffffa8281b73\u003e] __up_console_sem+0x63/0x90\n\nThat means __up_console_sem() was invoked with interrupts enabled. Further\ninstrumentation revealed that in the interrupt disabled section of kexec\njump one of the syscore_suspend() callbacks woke up a task, which set the\nNEED_RESCHED flag. A later callback in the resume path invoked\ncond_resched() which in turn led to the invocation of the scheduler:\n\n  __cond_resched+0x21/0x60\n  down_timeout+0x18/0x60\n  acpi_os_wait_semaphore+0x4c/0x80\n  acpi_ut_acquire_mutex+0x3d/0x100\n  acpi_ns_get_node+0x27/0x60\n  acpi_ns_evaluate+0x1cb/0x2d0\n  acpi_rs_set_srs_method_data+0x156/0x190\n  acpi_pci_link_set+0x11c/0x290\n  irqrouter_resume+0x54/0x60\n  syscore_resume+0x6a/0x200\n  kernel_kexec+0x145/0x1c0\n  __do_sys_reboot+0xeb/0x240\n  do_syscall_64+0x95/0x180\n\nThis is a long standing problem, which probably got more visible with\nthe recent printk changes. Something does a task wakeup and the\nscheduler sets the NEED_RESCHED flag. cond_resched() sees it set and\ninvokes schedule() from a completely bogus context. The scheduler\nenables interrupts after context switching, which causes the above\nwarning at the end.\n\nQuite some of the code paths in syscore_suspend()/resume() can result in\ntriggering a wakeup with the exactly same consequences. They might not\nhave done so yet, but as they share a lot of code with normal operations\nit\u0027s just a question of time.\n\nThe problem only affects the PREEMPT_NONE and PREEMPT_VOLUNTARY scheduling\nmodels. Full preemption is not affected as cond_resched() is disabled and\nthe preemption check preemptible() takes the interrupt disabled flag into\naccount.\n\nCure the problem by adding a corresponding check into cond_resched()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-05T10:56:51.140Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/321794b75ac968f0bb6b9c913581949452a8d992"
        },
        {
          "url": "https://git.kernel.org/stable/c/1651f5731b378616565534eb9cda30e258cebebc"
        },
        {
          "url": "https://git.kernel.org/stable/c/288fdb8dcb71ec77b76ab8b8a06bc10f595ea504"
        },
        {
          "url": "https://git.kernel.org/stable/c/84586322e010164eedddfcd0a0894206ae7d9317"
        },
        {
          "url": "https://git.kernel.org/stable/c/68786ab0935ccd5721283b7eb7f4d2f2942c7a52"
        },
        {
          "url": "https://git.kernel.org/stable/c/0362847c520747b44b574d363705d8af0621727a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b927c8539f692fb1f9c2f42e6c8ea2d94956f921"
        },
        {
          "url": "https://git.kernel.org/stable/c/82c387ef7568c0d96a918a5a78d9cad6256cfa15"
        }
      ],
      "title": "sched/core: Prevent rescheduling when interrupts are disabled",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58090",
    "datePublished": "2025-03-27T14:57:02.886Z",
    "dateReserved": "2025-03-06T15:52:09.188Z",
    "dateUpdated": "2026-01-05T10:56:51.140Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22069 (GCVE-0-2025-22069)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-05-26 05:17

Title

riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler

Summary

In the Linux kernel, the following vulnerability has been resolved: riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler Naresh Kamboju reported a "Bad frame pointer" kernel warning while running LTP trace ftrace_stress_test.sh in riscv. We can reproduce the same issue with the following command: ``` $ cd /sys/kernel/debug/tracing $ echo 'f:myprobe do_nanosleep%return args1=$retval' > dynamic_events $ echo 1 > events/fprobes/enable $ echo 1 > tracing_on $ sleep 1 ``` And we can get the following kernel warning: [ 127.692888] ------------[ cut here ]------------ [ 127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000 [ 127.693755] from func do_nanosleep return to ffffffff800ccb16 [ 127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be [ 127.699894] Modules linked in: [ 127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32 [ 127.701453] Hardware name: riscv-virtio,qemu (DT) [ 127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be [ 127.702032] ra : ftrace_return_to_handler+0x1b2/0x1be [ 127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10 [ 127.702221] gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000 [ 127.702284] t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80 [ 127.702346] s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20 [ 127.702408] a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000 [ 127.702470] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038 [ 127.702530] s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0 [ 127.702591] s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068 [ 127.702651] s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001 [ 127.702710] s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e [ 127.702769] t5 : ffffffff819d89a0 t6 : ff2000000065bb18 [ 127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003 [ 127.703292] [<ffffffff8013b5e0>] ftrace_return_to_handler+0x1b2/0x1be [ 127.703760] [<ffffffff80017bce>] return_to_handler+0x16/0x26 [ 127.704009] [<ffffffff80017bb8>] return_to_handler+0x0/0x26 [ 127.704057] [<ffffffff800d3352>] common_nsleep+0x42/0x54 [ 127.704117] [<ffffffff800d44a2>] __riscv_sys_clock_nanosleep+0xba/0x10a [ 127.704176] [<ffffffff80901c56>] do_trap_ecall_u+0x188/0x218 [ 127.704295] [<ffffffff8090cc3e>] handle_exception+0x14a/0x156 [ 127.705436] ---[ end trace 0000000000000000 ]--- The reason is that the stack layout for constructing argument for the ftrace_return_to_handler in the return_to_handler does not match the __arch_ftrace_regs structure of riscv, leading to unexpected results.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/78b39c587b8f6c691…
	https://git.kernel.org/stable/c/67a5ba8f742f247bc…

Impacted products

Vendor

Product

Version

Linux

Affected: a3ed4157b7d89800a0008de0c9e46a438a5c3745 , < 78b39c587b8f6c69140177108f9c08a75b1c7c37 (git)
Affected: a3ed4157b7d89800a0008de0c9e46a438a5c3745 , < 67a5ba8f742f247bc83e46dd2313c142b1383276 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/kernel/mcount.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "78b39c587b8f6c69140177108f9c08a75b1c7c37",
              "status": "affected",
              "version": "a3ed4157b7d89800a0008de0c9e46a438a5c3745",
              "versionType": "git"
            },
            {
              "lessThan": "67a5ba8f742f247bc83e46dd2313c142b1383276",
              "status": "affected",
              "version": "a3ed4157b7d89800a0008de0c9e46a438a5c3745",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/riscv/kernel/mcount.S"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nriscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler\n\nNaresh Kamboju reported a \"Bad frame pointer\" kernel warning while\nrunning LTP trace ftrace_stress_test.sh in riscv. We can reproduce the\nsame issue with the following command:\n\n```\n$ cd /sys/kernel/debug/tracing\n$ echo \u0027f:myprobe do_nanosleep%return args1=$retval\u0027 \u003e dynamic_events\n$ echo 1 \u003e events/fprobes/enable\n$ echo 1 \u003e tracing_on\n$ sleep 1\n```\n\nAnd we can get the following kernel warning:\n\n[  127.692888] ------------[ cut here ]------------\n[  127.693755] Bad frame pointer: expected ff2000000065be50, received ba34c141e9594000\n[  127.693755]   from func do_nanosleep return to ffffffff800ccb16\n[  127.698699] WARNING: CPU: 1 PID: 129 at kernel/trace/fgraph.c:755 ftrace_return_to_handler+0x1b2/0x1be\n[  127.699894] Modules linked in:\n[  127.700908] CPU: 1 UID: 0 PID: 129 Comm: sleep Not tainted 6.14.0-rc3-g0ab191c74642 #32\n[  127.701453] Hardware name: riscv-virtio,qemu (DT)\n[  127.701859] epc : ftrace_return_to_handler+0x1b2/0x1be\n[  127.702032]  ra : ftrace_return_to_handler+0x1b2/0x1be\n[  127.702151] epc : ffffffff8013b5e0 ra : ffffffff8013b5e0 sp : ff2000000065bd10\n[  127.702221]  gp : ffffffff819c12f8 tp : ff60000080853100 t0 : 6e00000000000000\n[  127.702284]  t1 : 0000000000000020 t2 : 6e7566206d6f7266 s0 : ff2000000065bd80\n[  127.702346]  s1 : ff60000081262000 a0 : 000000000000007b a1 : ffffffff81894f20\n[  127.702408]  a2 : 0000000000000010 a3 : fffffffffffffffe a4 : 0000000000000000\n[  127.702470]  a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038\n[  127.702530]  s2 : ba34c141e9594000 s3 : 0000000000000000 s4 : ff2000000065bdd0\n[  127.702591]  s5 : 00007fff8adcf400 s6 : 000055556dc1d8c0 s7 : 0000000000000068\n[  127.702651]  s8 : 00007fff8adf5d10 s9 : 000000000000006d s10: 0000000000000001\n[  127.702710]  s11: 00005555737377c8 t3 : ffffffff819d899e t4 : ffffffff819d899e\n[  127.702769]  t5 : ffffffff819d89a0 t6 : ff2000000065bb18\n[  127.702826] status: 0000000200000120 badaddr: 0000000000000000 cause: 0000000000000003\n[  127.703292] [\u003cffffffff8013b5e0\u003e] ftrace_return_to_handler+0x1b2/0x1be\n[  127.703760] [\u003cffffffff80017bce\u003e] return_to_handler+0x16/0x26\n[  127.704009] [\u003cffffffff80017bb8\u003e] return_to_handler+0x0/0x26\n[  127.704057] [\u003cffffffff800d3352\u003e] common_nsleep+0x42/0x54\n[  127.704117] [\u003cffffffff800d44a2\u003e] __riscv_sys_clock_nanosleep+0xba/0x10a\n[  127.704176] [\u003cffffffff80901c56\u003e] do_trap_ecall_u+0x188/0x218\n[  127.704295] [\u003cffffffff8090cc3e\u003e] handle_exception+0x14a/0x156\n[  127.705436] ---[ end trace 0000000000000000 ]---\n\nThe reason is that the stack layout for constructing argument for the\nftrace_return_to_handler in the return_to_handler does not match the\n__arch_ftrace_regs structure of riscv, leading to unexpected results."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:47.622Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/78b39c587b8f6c69140177108f9c08a75b1c7c37"
        },
        {
          "url": "https://git.kernel.org/stable/c/67a5ba8f742f247bc83e46dd2313c142b1383276"
        }
      ],
      "title": "riscv: fgraph: Fix stack layout to match __arch_ftrace_regs argument of ftrace_return_to_handler",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22069",
    "datePublished": "2025-04-16T14:12:22.357Z",
    "dateReserved": "2024-12-29T08:45:45.814Z",
    "dateUpdated": "2025-05-26T05:17:47.622Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37827 (GCVE-0-2025-37827)

Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2025-05-26 05:21

Title

btrfs: zoned: return EIO on RAID1 block group write pointer mismatch

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: zoned: return EIO on RAID1 block group write pointer mismatch There was a bug report about a NULL pointer dereference in __btrfs_add_free_space_zoned() that ultimately happens because a conversion from the default metadata profile DUP to a RAID1 profile on two disks. The stack trace has the following signature: BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile BUG: kernel NULL pointer dereference, address: 0000000000000058 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001 RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410 RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000 R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000 R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000 FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0 Call Trace: <TASK> ? __die_body.cold+0x19/0x27 ? page_fault_oops+0x15c/0x2f0 ? exc_page_fault+0x7e/0x180 ? asm_exc_page_fault+0x26/0x30 ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0 btrfs_add_free_space_async_trimmed+0x34/0x40 btrfs_add_new_free_space+0x107/0x120 btrfs_make_block_group+0x104/0x2b0 btrfs_create_chunk+0x977/0xf20 btrfs_chunk_alloc+0x174/0x510 ? srso_return_thunk+0x5/0x5f btrfs_inc_block_group_ro+0x1b1/0x230 btrfs_relocate_block_group+0x9e/0x410 btrfs_relocate_chunk+0x3f/0x130 btrfs_balance+0x8ac/0x12b0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? __kmalloc_cache_noprof+0x14c/0x3e0 btrfs_ioctl+0x2686/0x2a80 ? srso_return_thunk+0x5/0x5f ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120 __x64_sys_ioctl+0x97/0xc0 do_syscall_64+0x82/0x160 ? srso_return_thunk+0x5/0x5f ? __memcg_slab_free_hook+0x11a/0x170 ? srso_return_thunk+0x5/0x5f ? kmem_cache_free+0x3f0/0x450 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? sysfs_emit+0xaf/0xc0 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? seq_read_iter+0x207/0x460 ? srso_return_thunk+0x5/0x5f ? vfs_read+0x29c/0x370 ? srso_return_thunk+0x5/0x5f ? srso_return_thunk+0x5/0x5f ? syscall_exit_to_user_mode+0x10/0x210 ? srso_return_thunk+0x5/0x5f ? do_syscall_64+0x8e/0x160 ? srso_return_thunk+0x5/0x5f ? exc_page_fault+0x7e/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7fdab1e0ca6d RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003 RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001 </TASK> CR2: 0000000000000058 ---[ end trace 0000000000000000 ]--- The 1st line is the most interesting here: BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile When a RAID1 block-group is created and a write pointer mismatch between the disks in the RAID set is detected, btrfs sets the alloc_offset to the length of the block group marking it as full. Afterwards the code expects that a balance operation will evacuate the data in this block-group and repair the problems. But before this is possible, the new space of this block-group will be accounted in the free space cache. But in __btrfs_ ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9a447f748f6c7287d…
	https://git.kernel.org/stable/c/f4717a02cc422cf4b…
	https://git.kernel.org/stable/c/b0c26f47992672661…

Impacted products

Vendor

Product

Version

Linux

Affected: b1934cd6069538db2255dc94ba573771ecf3b560 , < 9a447f748f6c7287dad68fa91913cd382fa0fcc8 (git)
Affected: b1934cd6069538db2255dc94ba573771ecf3b560 , < f4717a02cc422cf4bb2dbb280b154a1ae65c5f84 (git)
Affected: b1934cd6069538db2255dc94ba573771ecf3b560 , < b0c26f47992672661340dd6ea931240213016609 (git)
Affected: e91dab550dd1d2221333cac9f5c012ab5193696f (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/zoned.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9a447f748f6c7287dad68fa91913cd382fa0fcc8",
              "status": "affected",
              "version": "b1934cd6069538db2255dc94ba573771ecf3b560",
              "versionType": "git"
            },
            {
              "lessThan": "f4717a02cc422cf4bb2dbb280b154a1ae65c5f84",
              "status": "affected",
              "version": "b1934cd6069538db2255dc94ba573771ecf3b560",
              "versionType": "git"
            },
            {
              "lessThan": "b0c26f47992672661340dd6ea931240213016609",
              "status": "affected",
              "version": "b1934cd6069538db2255dc94ba573771ecf3b560",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e91dab550dd1d2221333cac9f5c012ab5193696f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/zoned.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.10.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: zoned: return EIO on RAID1 block group write pointer mismatch\n\nThere was a bug report about a NULL pointer dereference in\n__btrfs_add_free_space_zoned() that ultimately happens because a\nconversion from the default metadata profile DUP to a RAID1 profile on two\ndisks.\n\nThe stack trace has the following signature:\n\n  BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n  BUG: kernel NULL pointer dereference, address: 0000000000000058\n  #PF: supervisor read access in kernel mode\n  #PF: error_code(0x0000) - not-present page\n  PGD 0 P4D 0\n  Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n  RIP: 0010:__btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n  RSP: 0018:ffffa236b6f3f6d0 EFLAGS: 00010246\n  RAX: 0000000000000000 RBX: ffff96c8132f3400 RCX: 0000000000000001\n  RDX: 0000000010000000 RSI: 0000000000000000 RDI: ffff96c8132f3410\n  RBP: 0000000010000000 R08: 0000000000000003 R09: 0000000000000000\n  R10: 0000000000000000 R11: 00000000ffffffff R12: 0000000000000000\n  R13: ffff96c758f65a40 R14: 0000000000000001 R15: 000011aac0000000\n  FS: 00007fdab1cb2900(0000) GS:ffff96e60ca00000(0000) knlGS:0000000000000000\n  CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 0000000000000058 CR3: 00000001a05ae000 CR4: 0000000000350ef0\n  Call Trace:\n  \u003cTASK\u003e\n  ? __die_body.cold+0x19/0x27\n  ? page_fault_oops+0x15c/0x2f0\n  ? exc_page_fault+0x7e/0x180\n  ? asm_exc_page_fault+0x26/0x30\n  ? __btrfs_add_free_space_zoned.isra.0+0x61/0x1a0\n  btrfs_add_free_space_async_trimmed+0x34/0x40\n  btrfs_add_new_free_space+0x107/0x120\n  btrfs_make_block_group+0x104/0x2b0\n  btrfs_create_chunk+0x977/0xf20\n  btrfs_chunk_alloc+0x174/0x510\n  ? srso_return_thunk+0x5/0x5f\n  btrfs_inc_block_group_ro+0x1b1/0x230\n  btrfs_relocate_block_group+0x9e/0x410\n  btrfs_relocate_chunk+0x3f/0x130\n  btrfs_balance+0x8ac/0x12b0\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? __kmalloc_cache_noprof+0x14c/0x3e0\n  btrfs_ioctl+0x2686/0x2a80\n  ? srso_return_thunk+0x5/0x5f\n  ? ioctl_has_perm.constprop.0.isra.0+0xd2/0x120\n  __x64_sys_ioctl+0x97/0xc0\n  do_syscall_64+0x82/0x160\n  ? srso_return_thunk+0x5/0x5f\n  ? __memcg_slab_free_hook+0x11a/0x170\n  ? srso_return_thunk+0x5/0x5f\n  ? kmem_cache_free+0x3f0/0x450\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? syscall_exit_to_user_mode+0x10/0x210\n  ? srso_return_thunk+0x5/0x5f\n  ? do_syscall_64+0x8e/0x160\n  ? sysfs_emit+0xaf/0xc0\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? seq_read_iter+0x207/0x460\n  ? srso_return_thunk+0x5/0x5f\n  ? vfs_read+0x29c/0x370\n  ? srso_return_thunk+0x5/0x5f\n  ? srso_return_thunk+0x5/0x5f\n  ? syscall_exit_to_user_mode+0x10/0x210\n  ? srso_return_thunk+0x5/0x5f\n  ? do_syscall_64+0x8e/0x160\n  ? srso_return_thunk+0x5/0x5f\n  ? exc_page_fault+0x7e/0x180\n  entry_SYSCALL_64_after_hwframe+0x76/0x7e\n  RIP: 0033:0x7fdab1e0ca6d\n  RSP: 002b:00007ffeb2b60c80 EFLAGS: 00000246 ORIG_RAX: 0000000000000010\n  RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdab1e0ca6d\n  RDX: 00007ffeb2b60d80 RSI: 00000000c4009420 RDI: 0000000000000003\n  RBP: 00007ffeb2b60cd0 R08: 0000000000000000 R09: 0000000000000013\n  R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\n  R13: 00007ffeb2b6343b R14: 00007ffeb2b60d80 R15: 0000000000000001\n  \u003c/TASK\u003e\n  CR2: 0000000000000058\n  ---[ end trace 0000000000000000 ]---\n\nThe 1st line is the most interesting here:\n\n BTRFS error (device sdc): zoned: write pointer offset mismatch of zones in raid1 profile\n\nWhen a RAID1 block-group is created and a write pointer mismatch between\nthe disks in the RAID set is detected, btrfs sets the alloc_offset to the\nlength of the block group marking it as full. Afterwards the code expects\nthat a balance operation will evacuate the data in this block-group and\nrepair the problems.\n\nBut before this is possible, the new space of this block-group will be\naccounted in the free space cache. But in __btrfs_\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:44.197Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9a447f748f6c7287dad68fa91913cd382fa0fcc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/f4717a02cc422cf4bb2dbb280b154a1ae65c5f84"
        },
        {
          "url": "https://git.kernel.org/stable/c/b0c26f47992672661340dd6ea931240213016609"
        }
      ],
      "title": "btrfs: zoned: return EIO on RAID1 block group write pointer mismatch",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37827",
    "datePublished": "2025-05-08T06:26:19.320Z",
    "dateReserved": "2025-04-16T04:51:23.950Z",
    "dateUpdated": "2025-05-26T05:21:44.197Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21904 (GCVE-0-2025-21904)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:38

Title

caif_virtio: fix wrong pointer check in cfv_probe()

Summary

In the Linux kernel, the following vulnerability has been resolved: caif_virtio: fix wrong pointer check in cfv_probe() del_vqs() frees virtqueues, therefore cfv->vq_tx pointer should be checked for NULL before calling it, not cfv->vdev. Also the current implementation is redundant because the pointer cfv->vdev is dereferenced before it is checked for NULL. Fix this by checking cfv->vq_tx for NULL instead of cfv->vdev before calling del_vqs().

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/990fff6980d0c1693…
	https://git.kernel.org/stable/c/7b5fe58959822e6cf…
	https://git.kernel.org/stable/c/8e4e08ca4cc634b33…
	https://git.kernel.org/stable/c/29e0cd296c8724027…
	https://git.kernel.org/stable/c/90d302619ee7ce5ed…
	https://git.kernel.org/stable/c/56cddf71cce3b15b0…
	https://git.kernel.org/stable/c/597c27e5f04cb50e5…
	https://git.kernel.org/stable/c/a466fd7e9fafd9759…

Impacted products

Vendor

Product

Version

Linux

Affected: 0d2e1a2926b1839a4b74519e660739b2566c9386 , < 990fff6980d0c1693d60a812f58dbf93eab0473f (git)
Affected: 0d2e1a2926b1839a4b74519e660739b2566c9386 , < 7b5fe58959822e6cfa884327cabba6be3b01883d (git)
Affected: 0d2e1a2926b1839a4b74519e660739b2566c9386 , < 8e4e08ca4cc634b337bb74bc9a70758fdeda0bcb (git)
Affected: 0d2e1a2926b1839a4b74519e660739b2566c9386 , < 29e0cd296c87240278e2f7ea4cf3f496b60c03af (git)
Affected: 0d2e1a2926b1839a4b74519e660739b2566c9386 , < 90d302619ee7ce5ed0c69c29c290bdccfde66418 (git)
Affected: 0d2e1a2926b1839a4b74519e660739b2566c9386 , < 56cddf71cce3b15b078e937fadab29962b6f6643 (git)
Affected: 0d2e1a2926b1839a4b74519e660739b2566c9386 , < 597c27e5f04cb50e56cc9aeda75d3e42b6b89c3e (git)
Affected: 0d2e1a2926b1839a4b74519e660739b2566c9386 , < a466fd7e9fafd975949e5945e2f70c33a94b1a70 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21904",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:24:28.456354Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:35.007Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:48.685Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/caif/caif_virtio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "990fff6980d0c1693d60a812f58dbf93eab0473f",
              "status": "affected",
              "version": "0d2e1a2926b1839a4b74519e660739b2566c9386",
              "versionType": "git"
            },
            {
              "lessThan": "7b5fe58959822e6cfa884327cabba6be3b01883d",
              "status": "affected",
              "version": "0d2e1a2926b1839a4b74519e660739b2566c9386",
              "versionType": "git"
            },
            {
              "lessThan": "8e4e08ca4cc634b337bb74bc9a70758fdeda0bcb",
              "status": "affected",
              "version": "0d2e1a2926b1839a4b74519e660739b2566c9386",
              "versionType": "git"
            },
            {
              "lessThan": "29e0cd296c87240278e2f7ea4cf3f496b60c03af",
              "status": "affected",
              "version": "0d2e1a2926b1839a4b74519e660739b2566c9386",
              "versionType": "git"
            },
            {
              "lessThan": "90d302619ee7ce5ed0c69c29c290bdccfde66418",
              "status": "affected",
              "version": "0d2e1a2926b1839a4b74519e660739b2566c9386",
              "versionType": "git"
            },
            {
              "lessThan": "56cddf71cce3b15b078e937fadab29962b6f6643",
              "status": "affected",
              "version": "0d2e1a2926b1839a4b74519e660739b2566c9386",
              "versionType": "git"
            },
            {
              "lessThan": "597c27e5f04cb50e56cc9aeda75d3e42b6b89c3e",
              "status": "affected",
              "version": "0d2e1a2926b1839a4b74519e660739b2566c9386",
              "versionType": "git"
            },
            {
              "lessThan": "a466fd7e9fafd975949e5945e2f70c33a94b1a70",
              "status": "affected",
              "version": "0d2e1a2926b1839a4b74519e660739b2566c9386",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/caif/caif_virtio.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncaif_virtio: fix wrong pointer check in cfv_probe()\n\ndel_vqs() frees virtqueues, therefore cfv-\u003evq_tx pointer should be checked\nfor NULL before calling it, not cfv-\u003evdev. Also the current implementation\nis redundant because the pointer cfv-\u003evdev is dereferenced before it is\nchecked for NULL.\n\nFix this by checking cfv-\u003evq_tx for NULL instead of cfv-\u003evdev before\ncalling del_vqs()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:23:53.919Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/990fff6980d0c1693d60a812f58dbf93eab0473f"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b5fe58959822e6cfa884327cabba6be3b01883d"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e4e08ca4cc634b337bb74bc9a70758fdeda0bcb"
        },
        {
          "url": "https://git.kernel.org/stable/c/29e0cd296c87240278e2f7ea4cf3f496b60c03af"
        },
        {
          "url": "https://git.kernel.org/stable/c/90d302619ee7ce5ed0c69c29c290bdccfde66418"
        },
        {
          "url": "https://git.kernel.org/stable/c/56cddf71cce3b15b078e937fadab29962b6f6643"
        },
        {
          "url": "https://git.kernel.org/stable/c/597c27e5f04cb50e56cc9aeda75d3e42b6b89c3e"
        },
        {
          "url": "https://git.kernel.org/stable/c/a466fd7e9fafd975949e5945e2f70c33a94b1a70"
        }
      ],
      "title": "caif_virtio: fix wrong pointer check in cfv_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21904",
    "datePublished": "2025-04-01T15:40:45.881Z",
    "dateReserved": "2024-12-29T08:45:45.785Z",
    "dateUpdated": "2025-11-03T19:38:48.685Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21820 (GCVE-0-2025-21820)

Vulnerability from cvelistv5 – Published: 2025-02-27 20:04 – Updated: 2025-11-03 20:59

Title

tty: xilinx_uartps: split sysrq handling

Summary

In the Linux kernel, the following vulnerability has been resolved: tty: xilinx_uartps: split sysrq handling lockdep detects the following circular locking dependency: CPU 0 CPU 1 ========================== ============================ cdns_uart_isr() printk() uart_port_lock(port) console_lock() cdns_uart_console_write() if (!port->sysrq) uart_port_lock(port) uart_handle_break() port->sysrq = ... uart_handle_sysrq_char() printk() console_lock() The fixed commit attempts to avoid this situation by only taking the port lock in cdns_uart_console_write if port->sysrq unset. However, if (as shown above) cdns_uart_console_write runs before port->sysrq is set, then it will try to take the port lock anyway. This may result in a deadlock. Fix this by splitting sysrq handling into two parts. We use the prepare helper under the port lock and defer handling until we release the lock.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e22a97700901ba5e8…
	https://git.kernel.org/stable/c/de5bd24197bd9ee37…
	https://git.kernel.org/stable/c/8ea0e7b3d7b8f2f0f…
	https://git.kernel.org/stable/c/9b88a7c4584ba6726…
	https://git.kernel.org/stable/c/4410dba9807a17a93…
	https://git.kernel.org/stable/c/b06f388994500297b…

Impacted products

Vendor

Product

Version

Linux

Affected: 74ea66d4ca061a3cd4c0e924e51b60e924644852 , < e22a97700901ba5e8bf8db68056a0d50f9440cae (git)
Affected: 74ea66d4ca061a3cd4c0e924e51b60e924644852 , < de5bd24197bd9ee37ec1e379a3d882bbd15c5065 (git)
Affected: 74ea66d4ca061a3cd4c0e924e51b60e924644852 , < 8ea0e7b3d7b8f2f0fc9db491ff22a0abe120801c (git)
Affected: 74ea66d4ca061a3cd4c0e924e51b60e924644852 , < 9b88a7c4584ba67267a051069b8abe44fc9595b2 (git)
Affected: 74ea66d4ca061a3cd4c0e924e51b60e924644852 , < 4410dba9807a17a93f649a9f5870ceaf30a675a3 (git)
Affected: 74ea66d4ca061a3cd4c0e924e51b60e924644852 , < b06f388994500297bb91be60ffaf6825ecfd2afe (git)

Linux

Affected: 4.6
Unaffected: 0 , < 4.6 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:53.209Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/xilinx_uartps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e22a97700901ba5e8bf8db68056a0d50f9440cae",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "de5bd24197bd9ee37ec1e379a3d882bbd15c5065",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "8ea0e7b3d7b8f2f0fc9db491ff22a0abe120801c",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "9b88a7c4584ba67267a051069b8abe44fc9595b2",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "4410dba9807a17a93f649a9f5870ceaf30a675a3",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            },
            {
              "lessThan": "b06f388994500297bb91be60ffaf6825ecfd2afe",
              "status": "affected",
              "version": "74ea66d4ca061a3cd4c0e924e51b60e924644852",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/tty/serial/xilinx_uartps.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.6"
            },
            {
              "lessThan": "4.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ntty: xilinx_uartps: split sysrq handling\n\nlockdep detects the following circular locking dependency:\n\nCPU 0                      CPU 1\n========================== ============================\ncdns_uart_isr()            printk()\n  uart_port_lock(port)       console_lock()\n\t\t\t     cdns_uart_console_write()\n                               if (!port-\u003esysrq)\n                                 uart_port_lock(port)\n  uart_handle_break()\n    port-\u003esysrq = ...\n  uart_handle_sysrq_char()\n    printk()\n      console_lock()\n\nThe fixed commit attempts to avoid this situation by only taking the\nport lock in cdns_uart_console_write if port-\u003esysrq unset. However, if\n(as shown above) cdns_uart_console_write runs before port-\u003esysrq is set,\nthen it will try to take the port lock anyway. This may result in a\ndeadlock.\n\nFix this by splitting sysrq handling into two parts. We use the prepare\nhelper under the port lock and defer handling until we release the lock."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:51.032Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e22a97700901ba5e8bf8db68056a0d50f9440cae"
        },
        {
          "url": "https://git.kernel.org/stable/c/de5bd24197bd9ee37ec1e379a3d882bbd15c5065"
        },
        {
          "url": "https://git.kernel.org/stable/c/8ea0e7b3d7b8f2f0fc9db491ff22a0abe120801c"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b88a7c4584ba67267a051069b8abe44fc9595b2"
        },
        {
          "url": "https://git.kernel.org/stable/c/4410dba9807a17a93f649a9f5870ceaf30a675a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/b06f388994500297bb91be60ffaf6825ecfd2afe"
        }
      ],
      "title": "tty: xilinx_uartps: split sysrq handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21820",
    "datePublished": "2025-02-27T20:04:17.930Z",
    "dateReserved": "2024-12-29T08:45:45.775Z",
    "dateUpdated": "2025-11-03T20:59:53.209Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21996 (GCVE-0-2025-21996)

Vulnerability from cvelistv5 – Published: 2025-04-03 07:18 – Updated: 2025-11-03 19:40

Title

drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse() On the off chance that command stream passed from userspace via ioctl() call to radeon_vce_cs_parse() is weirdly crafted and first command to execute is to encode (case 0x03000001), the function in question will attempt to call radeon_vce_cs_reloc() with size argument that has not been properly initialized. Specifically, 'size' will point to 'tmp' variable before the latter had a chance to be assigned any value. Play it safe and init 'tmp' with 0, thus ensuring that radeon_vce_cs_reloc() will catch an early error in cases like these. Found by Linux Verification Center (linuxtesting.org) with static analysis tool SVACE. (cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0effb378ebce52b89…
	https://git.kernel.org/stable/c/5b4d9d20fd455a979…
	https://git.kernel.org/stable/c/9b2da9c673a0da135…
	https://git.kernel.org/stable/c/78b07dada3f02f777…
	https://git.kernel.org/stable/c/3ce08215cad55c10a…
	https://git.kernel.org/stable/c/dd1801aa01bba1760…
	https://git.kernel.org/stable/c/f5e049028124f7552…
	https://git.kernel.org/stable/c/dd8689b52a24807c2…

Impacted products

Vendor

Product

Version

Linux

Affected: 2fc5703abda201f138faf63bdca743d04dbf4b1a , < 0effb378ebce52b897f85cd7f828854b8c7cb636 (git)
Affected: 2fc5703abda201f138faf63bdca743d04dbf4b1a , < 5b4d9d20fd455a97920cf158dd19163b879cf65d (git)
Affected: 2fc5703abda201f138faf63bdca743d04dbf4b1a , < 9b2da9c673a0da1359a2151f7ce773e2f77d71a9 (git)
Affected: 2fc5703abda201f138faf63bdca743d04dbf4b1a , < 78b07dada3f02f77762d0755a96d35f53b02be69 (git)
Affected: 2fc5703abda201f138faf63bdca743d04dbf4b1a , < 3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8 (git)
Affected: 2fc5703abda201f138faf63bdca743d04dbf4b1a , < dd1801aa01bba1760357f2a641346ae149686713 (git)
Affected: 2fc5703abda201f138faf63bdca743d04dbf4b1a , < f5e049028124f755283f2c07e7a3708361ed1dc8 (git)
Affected: 2fc5703abda201f138faf63bdca743d04dbf4b1a , < dd8689b52a24807c2d5ce0a17cb26dc87f75235c (git)

Linux

Affected: 3.15
Unaffected: 0 , < 3.15 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.85 , ≤ 6.6.* (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21996",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T18:15:07.384970Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T18:15:11.775Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:37.900Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/radeon/radeon_vce.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0effb378ebce52b897f85cd7f828854b8c7cb636",
              "status": "affected",
              "version": "2fc5703abda201f138faf63bdca743d04dbf4b1a",
              "versionType": "git"
            },
            {
              "lessThan": "5b4d9d20fd455a97920cf158dd19163b879cf65d",
              "status": "affected",
              "version": "2fc5703abda201f138faf63bdca743d04dbf4b1a",
              "versionType": "git"
            },
            {
              "lessThan": "9b2da9c673a0da1359a2151f7ce773e2f77d71a9",
              "status": "affected",
              "version": "2fc5703abda201f138faf63bdca743d04dbf4b1a",
              "versionType": "git"
            },
            {
              "lessThan": "78b07dada3f02f77762d0755a96d35f53b02be69",
              "status": "affected",
              "version": "2fc5703abda201f138faf63bdca743d04dbf4b1a",
              "versionType": "git"
            },
            {
              "lessThan": "3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8",
              "status": "affected",
              "version": "2fc5703abda201f138faf63bdca743d04dbf4b1a",
              "versionType": "git"
            },
            {
              "lessThan": "dd1801aa01bba1760357f2a641346ae149686713",
              "status": "affected",
              "version": "2fc5703abda201f138faf63bdca743d04dbf4b1a",
              "versionType": "git"
            },
            {
              "lessThan": "f5e049028124f755283f2c07e7a3708361ed1dc8",
              "status": "affected",
              "version": "2fc5703abda201f138faf63bdca743d04dbf4b1a",
              "versionType": "git"
            },
            {
              "lessThan": "dd8689b52a24807c2d5ce0a17cb26dc87f75235c",
              "status": "affected",
              "version": "2fc5703abda201f138faf63bdca743d04dbf4b1a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/radeon/radeon_vce.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.15"
            },
            {
              "lessThan": "3.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.85",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.85",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()\n\nOn the off chance that command stream passed from userspace via\nioctl() call to radeon_vce_cs_parse() is weirdly crafted and\nfirst command to execute is to encode (case 0x03000001), the function\nin question will attempt to call radeon_vce_cs_reloc() with size\nargument that has not been properly initialized. Specifically, \u0027size\u0027\nwill point to \u0027tmp\u0027 variable before the latter had a chance to be\nassigned any value.\n\nPlay it safe and init \u0027tmp\u0027 with 0, thus ensuring that\nradeon_vce_cs_reloc() will catch an early error in cases like these.\n\nFound by Linux Verification Center (linuxtesting.org) with static\nanalysis tool SVACE.\n\n(cherry picked from commit 2d52de55f9ee7aaee0e09ac443f77855989c6b68)"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:03.444Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0effb378ebce52b897f85cd7f828854b8c7cb636"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b4d9d20fd455a97920cf158dd19163b879cf65d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9b2da9c673a0da1359a2151f7ce773e2f77d71a9"
        },
        {
          "url": "https://git.kernel.org/stable/c/78b07dada3f02f77762d0755a96d35f53b02be69"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ce08215cad55c10a6eeeb33d3583b6cfffe3ab8"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd1801aa01bba1760357f2a641346ae149686713"
        },
        {
          "url": "https://git.kernel.org/stable/c/f5e049028124f755283f2c07e7a3708361ed1dc8"
        },
        {
          "url": "https://git.kernel.org/stable/c/dd8689b52a24807c2d5ce0a17cb26dc87f75235c"
        }
      ],
      "title": "drm/radeon: fix uninitialized size issue in radeon_vce_cs_parse()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21996",
    "datePublished": "2025-04-03T07:18:59.933Z",
    "dateReserved": "2024-12-29T08:45:45.801Z",
    "dateUpdated": "2025-11-03T19:40:37.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22115 (GCVE-0-2025-22115)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-07-24 07:07

Title

btrfs: fix block group refcount race in btrfs_create_pending_block_groups()

Summary

In the Linux kernel, the following vulnerability has been resolved: btrfs: fix block group refcount race in btrfs_create_pending_block_groups() Block group creation is done in two phases, which results in a slightly unintuitive property: a block group can be allocated/deallocated from after btrfs_make_block_group() adds it to the space_info with btrfs_add_bg_to_space_info(), but before creation is completely completed in btrfs_create_pending_block_groups(). As a result, it is possible for a block group to go unused and have 'btrfs_mark_bg_unused' called on it concurrently with 'btrfs_create_pending_block_groups'. This causes a number of issues, which were fixed with the block group flag 'BLOCK_GROUP_FLAG_NEW'. However, this fix is not quite complete. Since it does not use the unused_bg_lock, it is possible for the following race to occur: btrfs_create_pending_block_groups btrfs_mark_bg_unused if list_empty // false list_del_init clear_bit else if (test_bit) // true list_move_tail And we get into the exact same broken ref count and invalid new_bgs state for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to prevent. The broken refcount aspect will result in a warning like: [1272.943527] refcount_t: underflow; use-after-free. [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110 [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs] [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G W 6.14.0-rc5+ #108 [1272.946368] Tainted: [W]=WARN [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs] [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110 [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282 [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000 [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268 [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0 [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0 [1272.952850] FS: 0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000 [1272.953458] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0 [1272.954474] Call Trace: [1272.954655] <TASK> [1272.954812] ? refcount_warn_saturate+0xba/0x110 [1272.955173] ? __warn.cold+0x93/0xd7 [1272.955487] ? refcount_warn_saturate+0xba/0x110 [1272.955816] ? report_bug+0xe7/0x120 [1272.956103] ? handle_bug+0x53/0x90 [1272.956424] ? exc_invalid_op+0x13/0x60 [1272.956700] ? asm_exc_invalid_op+0x16/0x20 [1272.957011] ? refcount_warn_saturate+0xba/0x110 [1272.957399] btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs] [1272.957853] btrfs_put_block_group.cold+0x5d/0x8e [btrfs] [1272.958289] btrfs_discard_workfn+0x194/0x380 [btrfs] [1272.958729] process_one_work+0x130/0x290 [1272.959026] worker_thread+0x2ea/0x420 [1272.959335] ? __pfx_worker_thread+0x10/0x10 [1272.959644] kthread+0xd7/0x1c0 [1272.959872] ? __pfx_kthread+0x10/0x10 [1272.960172] ret_from_fork+0x30/0x50 [1272.960474] ? __pfx_kthread+0x10/0x10 [1272.960745] ret_from_fork_asm+0x1a/0x30 [1272.961035] </TASK> [1272.961238] ---[ end trace 0000000000000000 ]--- Though we have seen them in the async discard workfn as well. It is most likely to happen after a relocation finishes which cancels discard, tears down the block group, etc. Fix this fully by taking the lock arou ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ee56da95f8962b86f…
	https://git.kernel.org/stable/c/9d383a6fc59271aaa…
	https://git.kernel.org/stable/c/2d8e5168d48a91e7a…

Impacted products

Vendor

Product

Version

Linux

Affected: 0657b20c5a76c938612f8409735a8830d257866e , < ee56da95f8962b86fec4ef93f866e64c8d025a58 (git)
Affected: 0657b20c5a76c938612f8409735a8830d257866e , < 9d383a6fc59271aaaf07a33b23b2eac5b9268b7a (git)
Affected: 0657b20c5a76c938612f8409735a8830d257866e , < 2d8e5168d48a91e7a802d3003e72afb4304bebfa (git)
Affected: 6297644db23f77c02ae7961cc542d162629ae2c4 (git)
Affected: 7569c4294ba6ff9f194635b14876198f8a687c4a (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.12.40 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/block-group.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee56da95f8962b86fec4ef93f866e64c8d025a58",
              "status": "affected",
              "version": "0657b20c5a76c938612f8409735a8830d257866e",
              "versionType": "git"
            },
            {
              "lessThan": "9d383a6fc59271aaaf07a33b23b2eac5b9268b7a",
              "status": "affected",
              "version": "0657b20c5a76c938612f8409735a8830d257866e",
              "versionType": "git"
            },
            {
              "lessThan": "2d8e5168d48a91e7a802d3003e72afb4304bebfa",
              "status": "affected",
              "version": "0657b20c5a76c938612f8409735a8830d257866e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6297644db23f77c02ae7961cc542d162629ae2c4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "7569c4294ba6ff9f194635b14876198f8a687c4a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/btrfs/block-group.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.40",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.40",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.47",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.4.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbtrfs: fix block group refcount race in btrfs_create_pending_block_groups()\n\nBlock group creation is done in two phases, which results in a slightly\nunintuitive property: a block group can be allocated/deallocated from\nafter btrfs_make_block_group() adds it to the space_info with\nbtrfs_add_bg_to_space_info(), but before creation is completely completed\nin btrfs_create_pending_block_groups(). As a result, it is possible for a\nblock group to go unused and have \u0027btrfs_mark_bg_unused\u0027 called on it\nconcurrently with \u0027btrfs_create_pending_block_groups\u0027. This causes a\nnumber of issues, which were fixed with the block group flag\n\u0027BLOCK_GROUP_FLAG_NEW\u0027.\n\nHowever, this fix is not quite complete. Since it does not use the\nunused_bg_lock, it is possible for the following race to occur:\n\nbtrfs_create_pending_block_groups            btrfs_mark_bg_unused\n                                           if list_empty // false\n        list_del_init\n        clear_bit\n                                           else if (test_bit) // true\n                                                list_move_tail\n\nAnd we get into the exact same broken ref count and invalid new_bgs\nstate for transaction cleanup that BLOCK_GROUP_FLAG_NEW was designed to\nprevent.\n\nThe broken refcount aspect will result in a warning like:\n\n  [1272.943527] refcount_t: underflow; use-after-free.\n  [1272.943967] WARNING: CPU: 1 PID: 61 at lib/refcount.c:28 refcount_warn_saturate+0xba/0x110\n  [1272.944731] Modules linked in: btrfs virtio_net xor zstd_compress raid6_pq null_blk [last unloaded: btrfs]\n  [1272.945550] CPU: 1 UID: 0 PID: 61 Comm: kworker/u32:1 Kdump: loaded Tainted: G        W          6.14.0-rc5+ #108\n  [1272.946368] Tainted: [W]=WARN\n  [1272.946585] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014\n  [1272.947273] Workqueue: btrfs_discard btrfs_discard_workfn [btrfs]\n  [1272.947788] RIP: 0010:refcount_warn_saturate+0xba/0x110\n  [1272.949532] RSP: 0018:ffffbf1200247df0 EFLAGS: 00010282\n  [1272.949901] RAX: 0000000000000000 RBX: ffffa14b00e3f800 RCX: 0000000000000000\n  [1272.950437] RDX: 0000000000000000 RSI: ffffbf1200247c78 RDI: 00000000ffffdfff\n  [1272.950986] RBP: ffffa14b00dc2860 R08: 00000000ffffdfff R09: ffffffff90526268\n  [1272.951512] R10: ffffffff904762c0 R11: 0000000063666572 R12: ffffa14b00dc28c0\n  [1272.952024] R13: 0000000000000000 R14: ffffa14b00dc2868 R15: 000001285dcd12c0\n  [1272.952850] FS:  0000000000000000(0000) GS:ffffa14d33c40000(0000) knlGS:0000000000000000\n  [1272.953458] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  [1272.953931] CR2: 00007f838cbda000 CR3: 000000010104e000 CR4: 00000000000006f0\n  [1272.954474] Call Trace:\n  [1272.954655]  \u003cTASK\u003e\n  [1272.954812]  ? refcount_warn_saturate+0xba/0x110\n  [1272.955173]  ? __warn.cold+0x93/0xd7\n  [1272.955487]  ? refcount_warn_saturate+0xba/0x110\n  [1272.955816]  ? report_bug+0xe7/0x120\n  [1272.956103]  ? handle_bug+0x53/0x90\n  [1272.956424]  ? exc_invalid_op+0x13/0x60\n  [1272.956700]  ? asm_exc_invalid_op+0x16/0x20\n  [1272.957011]  ? refcount_warn_saturate+0xba/0x110\n  [1272.957399]  btrfs_discard_cancel_work.cold+0x26/0x2b [btrfs]\n  [1272.957853]  btrfs_put_block_group.cold+0x5d/0x8e [btrfs]\n  [1272.958289]  btrfs_discard_workfn+0x194/0x380 [btrfs]\n  [1272.958729]  process_one_work+0x130/0x290\n  [1272.959026]  worker_thread+0x2ea/0x420\n  [1272.959335]  ? __pfx_worker_thread+0x10/0x10\n  [1272.959644]  kthread+0xd7/0x1c0\n  [1272.959872]  ? __pfx_kthread+0x10/0x10\n  [1272.960172]  ret_from_fork+0x30/0x50\n  [1272.960474]  ? __pfx_kthread+0x10/0x10\n  [1272.960745]  ret_from_fork_asm+0x1a/0x30\n  [1272.961035]  \u003c/TASK\u003e\n  [1272.961238] ---[ end trace 0000000000000000 ]---\n\nThough we have seen them in the async discard workfn as well. It is\nmost likely to happen after a relocation finishes which cancels discard,\ntears down the block group, etc.\n\nFix this fully by taking the lock arou\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-07-24T07:07:18.253Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee56da95f8962b86fec4ef93f866e64c8d025a58"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d383a6fc59271aaaf07a33b23b2eac5b9268b7a"
        },
        {
          "url": "https://git.kernel.org/stable/c/2d8e5168d48a91e7a802d3003e72afb4304bebfa"
        }
      ],
      "title": "btrfs: fix block group refcount race in btrfs_create_pending_block_groups()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22115",
    "datePublished": "2025-04-16T14:13:01.293Z",
    "dateReserved": "2024-12-29T08:45:45.823Z",
    "dateUpdated": "2025-07-24T07:07:18.253Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23133 (GCVE-0-2025-23133)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-09-09 17:05

Title

wifi: ath11k: update channel list in reg notifier instead reg worker

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: update channel list in reg notifier instead reg worker Currently when ath11k gets a new channel list, it will be processed according to the following steps: 1. update new channel list to cfg80211 and queue reg_work. 2. cfg80211 handles new channel list during reg_work. 3. update cfg80211's handled channel list to firmware by ath11k_reg_update_chan_list(). But ath11k will immediately execute step 3 after reg_work is just queued. Since step 2 is asynchronous, cfg80211 may not have completed handling the new channel list, which may leading to an out-of-bounds write error: BUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list Call Trace: ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k] kfree+0x109/0x3a0 ath11k_regd_update+0x1cf/0x350 [ath11k] ath11k_regd_update_work+0x14/0x20 [ath11k] process_one_work+0xe35/0x14c0 Should ensure step 2 is completely done before executing step 3. Thus Wen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set, cfg80211 will notify ath11k after step 2 is done. So enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will notify ath11k after step 2 is done. At this time, there will be no KASAN bug during the execution of the step 3. [1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/ Tested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/26618c039b78a76c3…
	https://git.kernel.org/stable/c/f952fb83c9c6f908d…
	https://git.kernel.org/stable/c/933ab187e679e6fbd…

Impacted products

Vendor

Product

Version

Linux

Affected: f45cb6b29cd36514e13f7519770873d8c0457008 , < 26618c039b78a76c373d4e02c5fbd52e3a73aead (git)
Affected: f45cb6b29cd36514e13f7519770873d8c0457008 , < f952fb83c9c6f908d27500764c4aee1df04b9d3f (git)
Affected: f45cb6b29cd36514e13f7519770873d8c0457008 , < 933ab187e679e6fbdeea1835ae39efcc59c022d2 (git)
Affected: f96fd36936310cefe0ea1370a9ae30e6746e6f62 (git)
Affected: c97b120950b49d76bdce013bd4d9577d769465f4 (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.12.46 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/reg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "26618c039b78a76c373d4e02c5fbd52e3a73aead",
              "status": "affected",
              "version": "f45cb6b29cd36514e13f7519770873d8c0457008",
              "versionType": "git"
            },
            {
              "lessThan": "f952fb83c9c6f908d27500764c4aee1df04b9d3f",
              "status": "affected",
              "version": "f45cb6b29cd36514e13f7519770873d8c0457008",
              "versionType": "git"
            },
            {
              "lessThan": "933ab187e679e6fbdeea1835ae39efcc59c022d2",
              "status": "affected",
              "version": "f45cb6b29cd36514e13f7519770873d8c0457008",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "f96fd36936310cefe0ea1370a9ae30e6746e6f62",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c97b120950b49d76bdce013bd4d9577d769465f4",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/reg.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.46",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.46",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.79",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.0.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: update channel list in reg notifier instead reg worker\n\nCurrently when ath11k gets a new channel list, it will be processed\naccording to the following steps:\n1. update new channel list to cfg80211 and queue reg_work.\n2. cfg80211 handles new channel list during reg_work.\n3. update cfg80211\u0027s handled channel list to firmware by\nath11k_reg_update_chan_list().\n\nBut ath11k will immediately execute step 3 after reg_work is just\nqueued. Since step 2 is asynchronous, cfg80211 may not have completed\nhandling the new channel list, which may leading to an out-of-bounds\nwrite error:\nBUG: KASAN: slab-out-of-bounds in ath11k_reg_update_chan_list\nCall Trace:\n    ath11k_reg_update_chan_list+0xbfe/0xfe0 [ath11k]\n    kfree+0x109/0x3a0\n    ath11k_regd_update+0x1cf/0x350 [ath11k]\n    ath11k_regd_update_work+0x14/0x20 [ath11k]\n    process_one_work+0xe35/0x14c0\n\nShould ensure step 2 is completely done before executing step 3. Thus\nWen raised patch[1]. When flag NL80211_REGDOM_SET_BY_DRIVER is set,\ncfg80211 will notify ath11k after step 2 is done.\n\nSo enable the flag NL80211_REGDOM_SET_BY_DRIVER then cfg80211 will\nnotify ath11k after step 2 is done. At this time, there will be no\nKASAN bug during the execution of the step 3.\n\n[1] https://patchwork.kernel.org/project/linux-wireless/patch/20230201065313.27203-1-quic_wgong@quicinc.com/\n\nTested-on: WCN6855 hw2.0 PCI WLAN.HSP.1.1-03125-QCAHSPSWPL_V1_V2_SILICONZ_LITE-3"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-09-09T17:05:55.103Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/26618c039b78a76c373d4e02c5fbd52e3a73aead"
        },
        {
          "url": "https://git.kernel.org/stable/c/f952fb83c9c6f908d27500764c4aee1df04b9d3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/933ab187e679e6fbdeea1835ae39efcc59c022d2"
        }
      ],
      "title": "wifi: ath11k: update channel list in reg notifier instead reg worker",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23133",
    "datePublished": "2025-04-16T14:13:14.485Z",
    "dateReserved": "2025-01-11T14:28:41.511Z",
    "dateUpdated": "2025-09-09T17:05:55.103Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21926 (GCVE-0-2025-21926)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-11-03 19:39

Title

net: gso: fix ownership in __udp_gso_segment

Summary

In the Linux kernel, the following vulnerability has been resolved: net: gso: fix ownership in __udp_gso_segment In __udp_gso_segment the skb destructor is removed before segmenting the skb but the socket reference is kept as-is. This is an issue if the original skb is later orphaned as we can hit the following bug: kernel BUG at ./include/linux/skbuff.h:3312! (skb_orphan) RIP: 0010:ip_rcv_core+0x8b2/0xca0 Call Trace: ip_rcv+0xab/0x6e0 __netif_receive_skb_one_core+0x168/0x1b0 process_backlog+0x384/0x1100 __napi_poll.constprop.0+0xa1/0x370 net_rx_action+0x925/0xe50 The above can happen following a sequence of events when using OpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an OVS_ACTION_ATTR_OUTPUT action: 1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb goes through queue_gso_packets and then __udp_gso_segment, where its destructor is removed. 2. The segments' data are copied and sent to userspace. 3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the same original skb is sent to its path. 4. If it later hits skb_orphan, we hit the bug. Fix this by also removing the reference to the socket in __udp_gso_segment.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/9f28205ddb76e86ca…
	https://git.kernel.org/stable/c/a2d1cca955ed34873…
	https://git.kernel.org/stable/c/455217ac9db0cf934…
	https://git.kernel.org/stable/c/e8db70537878e1bb3…
	https://git.kernel.org/stable/c/01a83237644d6822b…
	https://git.kernel.org/stable/c/084819b0d8b1bd433…
	https://git.kernel.org/stable/c/c32da44cc9298eaa6…
	https://git.kernel.org/stable/c/ee01b2f2d7d001078…

Impacted products

Vendor

Product

Version

Linux

Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < 9f28205ddb76e86cac418332e952241d85fed0dc (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < a2d1cca955ed34873e524cc2e6e885450d262f05 (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < 455217ac9db0cf9349b3933664355e907bb1a569 (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < e8db70537878e1bb3fd83e5abcc6feefc0587828 (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < 01a83237644d6822bc7df2c5564fc81b0df84358 (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < 084819b0d8b1bd433b90142371eb9450d657f8ca (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b (git)
Affected: ad405857b174ed31a97982bb129c320d03321cf5 , < ee01b2f2d7d0010787c2343463965bbc283a497f (git)

Linux

Affected: 4.18
Unaffected: 0 , < 4.18 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:23.706Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "9f28205ddb76e86cac418332e952241d85fed0dc",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "a2d1cca955ed34873e524cc2e6e885450d262f05",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "455217ac9db0cf9349b3933664355e907bb1a569",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "e8db70537878e1bb3fd83e5abcc6feefc0587828",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "01a83237644d6822bc7df2c5564fc81b0df84358",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "084819b0d8b1bd433b90142371eb9450d657f8ca",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            },
            {
              "lessThan": "ee01b2f2d7d0010787c2343463965bbc283a497f",
              "status": "affected",
              "version": "ad405857b174ed31a97982bb129c320d03321cf5",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv4/udp_offload.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.18"
            },
            {
              "lessThan": "4.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: gso: fix ownership in __udp_gso_segment\n\nIn __udp_gso_segment the skb destructor is removed before segmenting the\nskb but the socket reference is kept as-is. This is an issue if the\noriginal skb is later orphaned as we can hit the following bug:\n\n  kernel BUG at ./include/linux/skbuff.h:3312!  (skb_orphan)\n  RIP: 0010:ip_rcv_core+0x8b2/0xca0\n  Call Trace:\n   ip_rcv+0xab/0x6e0\n   __netif_receive_skb_one_core+0x168/0x1b0\n   process_backlog+0x384/0x1100\n   __napi_poll.constprop.0+0xa1/0x370\n   net_rx_action+0x925/0xe50\n\nThe above can happen following a sequence of events when using\nOpenVSwitch, when an OVS_ACTION_ATTR_USERSPACE action precedes an\nOVS_ACTION_ATTR_OUTPUT action:\n\n1. OVS_ACTION_ATTR_USERSPACE is handled (in do_execute_actions): the skb\n   goes through queue_gso_packets and then __udp_gso_segment, where its\n   destructor is removed.\n2. The segments\u0027 data are copied and sent to userspace.\n3. OVS_ACTION_ATTR_OUTPUT is handled (in do_execute_actions) and the\n   same original skb is sent to its path.\n4. If it later hits skb_orphan, we hit the bug.\n\nFix this by also removing the reference to the socket in\n__udp_gso_segment."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:43.335Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/9f28205ddb76e86cac418332e952241d85fed0dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2d1cca955ed34873e524cc2e6e885450d262f05"
        },
        {
          "url": "https://git.kernel.org/stable/c/455217ac9db0cf9349b3933664355e907bb1a569"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8db70537878e1bb3fd83e5abcc6feefc0587828"
        },
        {
          "url": "https://git.kernel.org/stable/c/01a83237644d6822bc7df2c5564fc81b0df84358"
        },
        {
          "url": "https://git.kernel.org/stable/c/084819b0d8b1bd433b90142371eb9450d657f8ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/c32da44cc9298eaa6109e3fc2c2b4e07cc4bf11b"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee01b2f2d7d0010787c2343463965bbc283a497f"
        }
      ],
      "title": "net: gso: fix ownership in __udp_gso_segment",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21926",
    "datePublished": "2025-04-01T15:40:57.882Z",
    "dateReserved": "2024-12-29T08:45:45.788Z",
    "dateUpdated": "2025-11-03T19:39:23.706Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22033 (GCVE-0-2025-22033)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-11-03 19:41

Title

arm64: Don't call NULL in do_compat_alignment_fixup()

Summary

In the Linux kernel, the following vulnerability has been resolved: arm64: Don't call NULL in do_compat_alignment_fixup() do_alignment_t32_to_handler() only fixes up alignment faults for specific instructions; it returns NULL otherwise (e.g. LDREX). When that's the case, signal to the caller that it needs to proceed with the regular alignment fault handling (i.e. SIGBUS). Without this patch, the kernel panics: Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 Mem abort info: ESR = 0x0000000086000006 EC = 0x21: IABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x06: level 2 translation fault user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000 [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000 Internal error: Oops: 0000000086000006 [#1] SMP Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa> libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c> CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1 Debian 6.1.128-1 Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021 pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : 0x0 lr : do_compat_alignment_fixup+0xd8/0x3dc sp : ffff80000f973dd0 x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000 x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000 x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001 x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000 x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000 x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488 x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000 x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000 x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001 Call trace: 0x0 do_alignment_fault+0x40/0x50 do_mem_abort+0x4c/0xa0 el0_da+0x48/0xf0 el0t_32_sync_handler+0x110/0x140 el0t_32_sync+0x190/0x194 Code: bad PC value ---[ end trace 0000000000000000 ]---

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/cf187601053ecaf67…
	https://git.kernel.org/stable/c/617a4b0084a547917…
	https://git.kernel.org/stable/c/2df8ee605eb6806cd…
	https://git.kernel.org/stable/c/fa2a9f625f185c6ac…
	https://git.kernel.org/stable/c/ecf798573bbe08058…
	https://git.kernel.org/stable/c/c28f31deeacda307a…

Impacted products

Vendor

Product

Version

Linux

Affected: 3fc24ef32d3b9368f4c103dcd21d6a3f959b4870 , < cf187601053ecaf671ae645edb898901f81d03e9 (git)
Affected: 3fc24ef32d3b9368f4c103dcd21d6a3f959b4870 , < 617a4b0084a547917669fef2b54253cc9c064990 (git)
Affected: 3fc24ef32d3b9368f4c103dcd21d6a3f959b4870 , < 2df8ee605eb6806cd41c2095306db05206633a08 (git)
Affected: 3fc24ef32d3b9368f4c103dcd21d6a3f959b4870 , < fa2a9f625f185c6acb4ee5be8d71359a567afac9 (git)
Affected: 3fc24ef32d3b9368f4c103dcd21d6a3f959b4870 , < ecf798573bbe0805803f7764e12a34b4bcc65074 (git)
Affected: 3fc24ef32d3b9368f4c103dcd21d6a3f959b4870 , < c28f31deeacda307acfee2f18c0ad904e5123aac (git)

Linux

Affected: 6.1
Unaffected: 0 , < 6.1 (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22033",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:04:42.555886Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:04:46.815Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:16.171Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/compat_alignment.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "cf187601053ecaf671ae645edb898901f81d03e9",
              "status": "affected",
              "version": "3fc24ef32d3b9368f4c103dcd21d6a3f959b4870",
              "versionType": "git"
            },
            {
              "lessThan": "617a4b0084a547917669fef2b54253cc9c064990",
              "status": "affected",
              "version": "3fc24ef32d3b9368f4c103dcd21d6a3f959b4870",
              "versionType": "git"
            },
            {
              "lessThan": "2df8ee605eb6806cd41c2095306db05206633a08",
              "status": "affected",
              "version": "3fc24ef32d3b9368f4c103dcd21d6a3f959b4870",
              "versionType": "git"
            },
            {
              "lessThan": "fa2a9f625f185c6acb4ee5be8d71359a567afac9",
              "status": "affected",
              "version": "3fc24ef32d3b9368f4c103dcd21d6a3f959b4870",
              "versionType": "git"
            },
            {
              "lessThan": "ecf798573bbe0805803f7764e12a34b4bcc65074",
              "status": "affected",
              "version": "3fc24ef32d3b9368f4c103dcd21d6a3f959b4870",
              "versionType": "git"
            },
            {
              "lessThan": "c28f31deeacda307acfee2f18c0ad904e5123aac",
              "status": "affected",
              "version": "3fc24ef32d3b9368f4c103dcd21d6a3f959b4870",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm64/kernel/compat_alignment.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.1"
            },
            {
              "lessThan": "6.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.1",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm64: Don\u0027t call NULL in do_compat_alignment_fixup()\n\ndo_alignment_t32_to_handler() only fixes up alignment faults for\nspecific instructions; it returns NULL otherwise (e.g. LDREX). When\nthat\u0027s the case, signal to the caller that it needs to proceed with the\nregular alignment fault handling (i.e. SIGBUS). Without this patch, the\nkernel panics:\n\n  Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000\n  Mem abort info:\n    ESR = 0x0000000086000006\n    EC = 0x21: IABT (current EL), IL = 32 bits\n    SET = 0, FnV = 0\n    EA = 0, S1PTW = 0\n    FSC = 0x06: level 2 translation fault\n  user pgtable: 4k pages, 48-bit VAs, pgdp=00000800164aa000\n  [0000000000000000] pgd=0800081fdbd22003, p4d=0800081fdbd22003, pud=08000815d51c6003, pmd=0000000000000000\n  Internal error: Oops: 0000000086000006 [#1] SMP\n  Modules linked in: cfg80211 rfkill xt_nat xt_tcpudp xt_conntrack nft_chain_nat xt_MASQUERADE nf_nat nf_conntrack_netlink nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 xfrm_user xfrm_algo xt_addrtype nft_compat br_netfilter veth nvme_fa\u003e\n   libcrc32c crc32c_generic raid0 multipath linear dm_mod dax raid1 md_mod xhci_pci nvme xhci_hcd nvme_core t10_pi usbcore igb crc64_rocksoft crc64 crc_t10dif crct10dif_generic crct10dif_ce crct10dif_common usb_common i2c_algo_bit i2c\u003e\n  CPU: 2 PID: 3932954 Comm: WPEWebProcess Not tainted 6.1.0-31-arm64 #1  Debian 6.1.128-1\n  Hardware name: GIGABYTE MP32-AR1-00/MP32-AR1-00, BIOS F18v (SCP: 1.08.20211002) 12/01/2021\n  pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n  pc : 0x0\n  lr : do_compat_alignment_fixup+0xd8/0x3dc\n  sp : ffff80000f973dd0\n  x29: ffff80000f973dd0 x28: ffff081b42526180 x27: 0000000000000000\n  x26: 0000000000000000 x25: 0000000000000000 x24: 0000000000000000\n  x23: 0000000000000004 x22: 0000000000000000 x21: 0000000000000001\n  x20: 00000000e8551f00 x19: ffff80000f973eb0 x18: 0000000000000000\n  x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000\n  x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000000\n  x11: 0000000000000000 x10: 0000000000000000 x9 : ffffaebc949bc488\n  x8 : 0000000000000000 x7 : 0000000000000000 x6 : 0000000000000000\n  x5 : 0000000000400000 x4 : 0000fffffffffffe x3 : 0000000000000000\n  x2 : ffff80000f973eb0 x1 : 00000000e8551f00 x0 : 0000000000000001\n  Call trace:\n   0x0\n   do_alignment_fault+0x40/0x50\n   do_mem_abort+0x4c/0xa0\n   el0_da+0x48/0xf0\n   el0t_32_sync_handler+0x110/0x140\n   el0t_32_sync+0x190/0x194\n  Code: bad PC value\n  ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:00.903Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/cf187601053ecaf671ae645edb898901f81d03e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/617a4b0084a547917669fef2b54253cc9c064990"
        },
        {
          "url": "https://git.kernel.org/stable/c/2df8ee605eb6806cd41c2095306db05206633a08"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa2a9f625f185c6acb4ee5be8d71359a567afac9"
        },
        {
          "url": "https://git.kernel.org/stable/c/ecf798573bbe0805803f7764e12a34b4bcc65074"
        },
        {
          "url": "https://git.kernel.org/stable/c/c28f31deeacda307acfee2f18c0ad904e5123aac"
        }
      ],
      "title": "arm64: Don\u0027t call NULL in do_compat_alignment_fixup()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22033",
    "datePublished": "2025-04-16T14:11:52.696Z",
    "dateReserved": "2024-12-29T08:45:45.808Z",
    "dateUpdated": "2025-11-03T19:41:16.171Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23129 (GCVE-0-2025-23129)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:13 – Updated: 2025-11-24 09:49

Title

wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path If a shared IRQ is used by the driver due to platform limitation, then the IRQ affinity hint is set right after the allocation of IRQ vectors in ath11k_pci_alloc_msi(). This does no harm unless one of the functions requesting the IRQ fails and attempt to free the IRQ. This results in the below warning: WARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c Call trace: free_irq+0x278/0x29c ath11k_pcic_free_irq+0x70/0x10c [ath11k] ath11k_pci_probe+0x800/0x820 [ath11k_pci] local_pci_probe+0x40/0xbc The warning is due to not clearing the affinity hint before freeing the IRQs. So to fix this issue, clear the IRQ affinity hint before calling ath11k_pcic_free_irq() in the error path. The affinity will be cleared once again further down the error path due to code organization, but that does no harm. Tested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/80dc5a2ce5b75d648…
	https://git.kernel.org/stable/c/3fc42cfcc6e336f25…
	https://git.kernel.org/stable/c/68410c5bd381a81bc…

Impacted products

Vendor

Product

Version

Linux

Affected: 39564b475ac5a589e6c22c43a08cbd283c295d2c , < 80dc5a2ce5b75d648e08549617f5c555d07ae43c (git)
Affected: 39564b475ac5a589e6c22c43a08cbd283c295d2c , < 3fc42cfcc6e336f25dee79b34e57c4a63cd652a5 (git)
Affected: 39564b475ac5a589e6c22c43a08cbd283c295d2c , < 68410c5bd381a81bcc92b808e7dc4e6b9ed25d11 (git)
Affected: e01b3400d641cb290742849331f0d22e1202538a (git)
Affected: 5a9f55efa9333e3edb4826d945cfdd8356f6e269 (git)
Affected: d412d0ef300f28d698648cc7c19147ab413251fe (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.59 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "80dc5a2ce5b75d648e08549617f5c555d07ae43c",
              "status": "affected",
              "version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
              "versionType": "git"
            },
            {
              "lessThan": "3fc42cfcc6e336f25dee79b34e57c4a63cd652a5",
              "status": "affected",
              "version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
              "versionType": "git"
            },
            {
              "lessThan": "68410c5bd381a81bcc92b808e7dc4e6b9ed25d11",
              "status": "affected",
              "version": "39564b475ac5a589e6c22c43a08cbd283c295d2c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e01b3400d641cb290742849331f0d22e1202538a",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "5a9f55efa9333e3edb4826d945cfdd8356f6e269",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "d412d0ef300f28d698648cc7c19147ab413251fe",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/ath/ath11k/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.59",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.59",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.1.63",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.6.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path\n\nIf a shared IRQ is used by the driver due to platform limitation, then the\nIRQ affinity hint is set right after the allocation of IRQ vectors in\nath11k_pci_alloc_msi(). This does no harm unless one of the functions\nrequesting the IRQ fails and attempt to free the IRQ. This results in the\nbelow warning:\n\nWARNING: CPU: 7 PID: 349 at kernel/irq/manage.c:1929 free_irq+0x278/0x29c\nCall trace:\n free_irq+0x278/0x29c\n ath11k_pcic_free_irq+0x70/0x10c [ath11k]\n ath11k_pci_probe+0x800/0x820 [ath11k_pci]\n local_pci_probe+0x40/0xbc\n\nThe warning is due to not clearing the affinity hint before freeing the\nIRQs.\n\nSo to fix this issue, clear the IRQ affinity hint before calling\nath11k_pcic_free_irq() in the error path. The affinity will be cleared once\nagain further down the error path due to code organization, but that does\nno harm.\n\nTested-on: QCA6390 hw2.0 PCI WLAN.HST.1.0.1-05266-QCAHSTSWPLZ_V2_TO_X86-1"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-24T09:49:46.072Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/80dc5a2ce5b75d648e08549617f5c555d07ae43c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3fc42cfcc6e336f25dee79b34e57c4a63cd652a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/68410c5bd381a81bcc92b808e7dc4e6b9ed25d11"
        }
      ],
      "title": "wifi: ath11k: Clear affinity hint before calling ath11k_pcic_free_irq() in error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23129",
    "datePublished": "2025-04-16T14:13:11.663Z",
    "dateReserved": "2025-01-11T14:28:41.510Z",
    "dateUpdated": "2025-11-24T09:49:46.072Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-36945 (GCVE-0-2024-36945)

Vulnerability from cvelistv5 – Published: 2024-05-30 15:35 – Updated: 2025-05-04 09:12

Title

net/smc: fix neighbour and rtable leak in smc_ib_find_route()

Summary

In the Linux kernel, the following vulnerability has been resolved: net/smc: fix neighbour and rtable leak in smc_ib_find_route() In smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable resolved by ip_route_output_flow() are not released or put before return. It may cause the refcount leak, so fix it.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d5a466ab6e78d6f2e…
	https://git.kernel.org/stable/c/5df93c029a907b0ff…
	https://git.kernel.org/stable/c/da91e447d06dc649f…
	https://git.kernel.org/stable/c/2ddc0dd7fec86ee53…

Impacted products

Vendor

Product

Version

Linux

Affected: e5c4744cfb598f98672f8d21d59ef2c1fa9c9b5f , < d5a466ab6e78d6f2e0f64435f1e17246c8e941ff (git)
Affected: e5c4744cfb598f98672f8d21d59ef2c1fa9c9b5f , < 5df93c029a907b0ff5a4eeadd77ba06ff0a277d2 (git)
Affected: e5c4744cfb598f98672f8d21d59ef2c1fa9c9b5f , < da91e447d06dc649fcf46e59122e7bf8f0b2e0db (git)
Affected: e5c4744cfb598f98672f8d21d59ef2c1fa9c9b5f , < 2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06 (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.1.91 , ≤ 6.1.* (semver)
Unaffected: 6.6.31 , ≤ 6.6.* (semver)
Unaffected: 6.8.10 , ≤ 6.8.* (semver)
Unaffected: 6.9 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-36945",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-06-04T20:30:31.469457Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-06-04T20:30:45.208Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "ADP Container"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-04-04T23:03:03.722Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/d5a466ab6e78d6f2e0f64435f1e17246c8e941ff"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/5df93c029a907b0ff5a4eeadd77ba06ff0a277d2"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/da91e447d06dc649fcf46e59122e7bf8f0b2e0db"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://git.kernel.org/stable/c/2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06"
          },
          {
            "url": "https://security.netapp.com/advisory/ntap-20250404-0006/"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_ib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d5a466ab6e78d6f2e0f64435f1e17246c8e941ff",
              "status": "affected",
              "version": "e5c4744cfb598f98672f8d21d59ef2c1fa9c9b5f",
              "versionType": "git"
            },
            {
              "lessThan": "5df93c029a907b0ff5a4eeadd77ba06ff0a277d2",
              "status": "affected",
              "version": "e5c4744cfb598f98672f8d21d59ef2c1fa9c9b5f",
              "versionType": "git"
            },
            {
              "lessThan": "da91e447d06dc649fcf46e59122e7bf8f0b2e0db",
              "status": "affected",
              "version": "e5c4744cfb598f98672f8d21d59ef2c1fa9c9b5f",
              "versionType": "git"
            },
            {
              "lessThan": "2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06",
              "status": "affected",
              "version": "e5c4744cfb598f98672f8d21d59ef2c1fa9c9b5f",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/smc/smc_ib.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.91",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.31",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.8.*",
              "status": "unaffected",
              "version": "6.8.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.9",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.91",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.31",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.8.10",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.9",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/smc: fix neighbour and rtable leak in smc_ib_find_route()\n\nIn smc_ib_find_route(), the neighbour found by neigh_lookup() and rtable\nresolved by ip_route_output_flow() are not released or put before return.\nIt may cause the refcount leak, so fix it."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T09:12:34.866Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d5a466ab6e78d6f2e0f64435f1e17246c8e941ff"
        },
        {
          "url": "https://git.kernel.org/stable/c/5df93c029a907b0ff5a4eeadd77ba06ff0a277d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/da91e447d06dc649fcf46e59122e7bf8f0b2e0db"
        },
        {
          "url": "https://git.kernel.org/stable/c/2ddc0dd7fec86ee53b8928a5cca5fbddd4fc7c06"
        }
      ],
      "title": "net/smc: fix neighbour and rtable leak in smc_ib_find_route()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-36945",
    "datePublished": "2024-05-30T15:35:43.299Z",
    "dateReserved": "2024-05-30T15:25:07.079Z",
    "dateUpdated": "2025-05-04T09:12:34.866Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2024-58079 (GCVE-0-2024-58079)

Vulnerability from cvelistv5 – Published: 2025-03-06 16:13 – Updated: 2025-11-03 19:34

Title

media: uvcvideo: Fix crash during unbind if gpio unit is in use

Summary

In the Linux kernel, the following vulnerability has been resolved: media: uvcvideo: Fix crash during unbind if gpio unit is in use We used the wrong device for the device managed functions. We used the usb device, when we should be using the interface device. If we unbind the driver from the usb interface, the cleanup functions are never called. In our case, the IRQ is never disabled. If an IRQ is triggered, it will try to access memory sections that are already free, causing an OOPS. We cannot use the function devm_request_threaded_irq here. The devm_* clean functions may be called after the main structure is released by uvc_delete. Luckily this bug has small impact, as it is only affected by devices with gpio units and the user has to unbind the device, a disconnect will not trigger this error.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0fdd7cc593385e46e…
	https://git.kernel.org/stable/c/3c00e94d00ca079be…
	https://git.kernel.org/stable/c/0b5e0445bc8384c18…
	https://git.kernel.org/stable/c/d2eac8b14ac690aa7…
	https://git.kernel.org/stable/c/5d2e65cbe53d0141e…
	https://git.kernel.org/stable/c/a9ea1a3d88b7947ce…

Impacted products

Vendor

Product

Version

Linux

Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < 0fdd7cc593385e46e92e180b71e264fc9c195298 (git)
Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < 3c00e94d00ca079bef7906d6f39d1091bccfedd3 (git)
Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < 0b5e0445bc8384c18bd35cb9fe87f6258c6271d9 (git)
Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < d2eac8b14ac690aa73052aa6d4ba69005715367e (git)
Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < 5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d (git)
Affected: 2886477ff98740cc3333cf785e4de0b1ff3d7a28 , < a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5 (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.78 , ≤ 6.6.* (semver)
Unaffected: 6.12.14 , ≤ 6.12.* (semver)
Unaffected: 6.13.3 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:34:12.917Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_driver.c",
            "drivers/media/usb/uvc/uvcvideo.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0fdd7cc593385e46e92e180b71e264fc9c195298",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "3c00e94d00ca079bef7906d6f39d1091bccfedd3",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "0b5e0445bc8384c18bd35cb9fe87f6258c6271d9",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "d2eac8b14ac690aa73052aa6d4ba69005715367e",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            },
            {
              "lessThan": "a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5",
              "status": "affected",
              "version": "2886477ff98740cc3333cf785e4de0b1ff3d7a28",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/usb/uvc/uvc_driver.c",
            "drivers/media/usb/uvc/uvcvideo.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.78",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.78",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.3",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: uvcvideo: Fix crash during unbind if gpio unit is in use\n\nWe used the wrong device for the device managed functions. We used the\nusb device, when we should be using the interface device.\n\nIf we unbind the driver from the usb interface, the cleanup functions\nare never called. In our case, the IRQ is never disabled.\n\nIf an IRQ is triggered, it will try to access memory sections that are\nalready free, causing an OOPS.\n\nWe cannot use the function devm_request_threaded_irq here. The devm_*\nclean functions may be called after the main structure is released by\nuvc_delete.\n\nLuckily this bug has small impact, as it is only affected by devices\nwith gpio units and the user has to unbind the device, a disconnect will\nnot trigger this error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:30.587Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0fdd7cc593385e46e92e180b71e264fc9c195298"
        },
        {
          "url": "https://git.kernel.org/stable/c/3c00e94d00ca079bef7906d6f39d1091bccfedd3"
        },
        {
          "url": "https://git.kernel.org/stable/c/0b5e0445bc8384c18bd35cb9fe87f6258c6271d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/d2eac8b14ac690aa73052aa6d4ba69005715367e"
        },
        {
          "url": "https://git.kernel.org/stable/c/5d2e65cbe53d0141ed095cf31c2dcf3d8668c11d"
        },
        {
          "url": "https://git.kernel.org/stable/c/a9ea1a3d88b7947ce8cadb2afceee7a54872bbc5"
        }
      ],
      "title": "media: uvcvideo: Fix crash during unbind if gpio unit is in use",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58079",
    "datePublished": "2025-03-06T16:13:42.640Z",
    "dateReserved": "2025-03-06T15:52:09.183Z",
    "dateUpdated": "2025-11-03T19:34:12.917Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21758 (GCVE-0-2025-21758)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 19:37

Title

ipv6: mcast: add RCU protection to mld_newpack()

Summary

In the Linux kernel, the following vulnerability has been resolved: ipv6: mcast: add RCU protection to mld_newpack() mld_newpack() can be called without RTNL or RCU being held. Note that we no longer can use sock_alloc_send_skb() because ipv6.igmp_sk uses GFP_KERNEL allocations which can sleep. Instead use alloc_skb() and charge the net->ipv6.igmp_sk socket under RCU protection.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/29fa42197f26a97cd…
	https://git.kernel.org/stable/c/e8af3632a7f2da83e…
	https://git.kernel.org/stable/c/1b91c597b0214b1b4…
	https://git.kernel.org/stable/c/25195f9d5ffcc8079…
	https://git.kernel.org/stable/c/d60d493b0e65647e0…
	https://git.kernel.org/stable/c/a527750d877fd334d…

Impacted products

Vendor

Product

Version

Linux

Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < 29fa42197f26a97cde29fa8c40beddf44ea5c8f3 (git)
Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < e8af3632a7f2da83e27b083f787bced1faba00b1 (git)
Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < 1b91c597b0214b1b462eb627ec02658c944623f2 (git)
Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < 25195f9d5ffcc8079ad743a50c0409dbdc48d98a (git)
Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < d60d493b0e65647e0335e6a7c4547abcea7df8e9 (git)
Affected: b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551 , < a527750d877fd334de87eef81f1cb5f0f0ca3373 (git)

Linux

Affected: 2.6.26
Unaffected: 0 , < 2.6.26 (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:37:03.144Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/mcast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "29fa42197f26a97cde29fa8c40beddf44ea5c8f3",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            },
            {
              "lessThan": "e8af3632a7f2da83e27b083f787bced1faba00b1",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            },
            {
              "lessThan": "1b91c597b0214b1b462eb627ec02658c944623f2",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            },
            {
              "lessThan": "25195f9d5ffcc8079ad743a50c0409dbdc48d98a",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            },
            {
              "lessThan": "d60d493b0e65647e0335e6a7c4547abcea7df8e9",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            },
            {
              "lessThan": "a527750d877fd334de87eef81f1cb5f0f0ca3373",
              "status": "affected",
              "version": "b8ad0cbc58f703972e9e37c4e2a8081dd7e6a551",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/ipv6/mcast.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.26"
            },
            {
              "lessThan": "2.6.26",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.26",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nipv6: mcast: add RCU protection to mld_newpack()\n\nmld_newpack() can be called without RTNL or RCU being held.\n\nNote that we no longer can use sock_alloc_send_skb() because\nipv6.igmp_sk uses GFP_KERNEL allocations which can sleep.\n\nInstead use alloc_skb() and charge the net-\u003eipv6.igmp_sk\nsocket under RCU protection."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:20:29.913Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/29fa42197f26a97cde29fa8c40beddf44ea5c8f3"
        },
        {
          "url": "https://git.kernel.org/stable/c/e8af3632a7f2da83e27b083f787bced1faba00b1"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b91c597b0214b1b462eb627ec02658c944623f2"
        },
        {
          "url": "https://git.kernel.org/stable/c/25195f9d5ffcc8079ad743a50c0409dbdc48d98a"
        },
        {
          "url": "https://git.kernel.org/stable/c/d60d493b0e65647e0335e6a7c4547abcea7df8e9"
        },
        {
          "url": "https://git.kernel.org/stable/c/a527750d877fd334de87eef81f1cb5f0f0ca3373"
        }
      ],
      "title": "ipv6: mcast: add RCU protection to mld_newpack()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21758",
    "datePublished": "2025-02-27T02:18:12.496Z",
    "dateReserved": "2024-12-29T08:45:45.761Z",
    "dateUpdated": "2025-11-03T19:37:03.144Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21802 (GCVE-0-2025-21802)

Vulnerability from cvelistv5 – Published: 2025-02-27 20:00 – Updated: 2025-11-03 20:59

Title

net: hns3: fix oops when unload drivers paralleling

Summary

In the Linux kernel, the following vulnerability has been resolved: net: hns3: fix oops when unload drivers paralleling When unload hclge driver, it tries to disable sriov first for each ae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at the time, because it removes all the ae_dev nodes, and it may cause oops. But we can't simply use hnae3_common_lock for this. Because in the process flow of pci_disable_sriov(), it will trigger the remove flow of VF, which will also take hnae3_common_lock. To fixes it, introduce a new mutex to protect the unload process.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/622d92a67656e5c4d…
	https://git.kernel.org/stable/c/8c640dd3d900cc898…
	https://git.kernel.org/stable/c/e876522659012ef2e…
	https://git.kernel.org/stable/c/b5a8bc47aa0a4aa8b…
	https://git.kernel.org/stable/c/82736bb83fb022131…
	https://git.kernel.org/stable/c/cafe9a27e22736d4a…
	https://git.kernel.org/stable/c/92e5995773774a3e7…

Impacted products

Vendor

Product

Version

Linux

Affected: d36b15e3e7b5937cb1f6ac590a85facc3a320642 , < 622d92a67656e5c4d2d6ccac02d688ed995418c6 (git)
Affected: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 , < 8c640dd3d900cc8988a39c007591f1deee776df4 (git)
Affected: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 , < e876522659012ef2e73834a0b9f1cbe3f74d5fad (git)
Affected: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 , < b5a8bc47aa0a4aa8bca5466dfa2d12dbb5b3cd0c (git)
Affected: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 , < 82736bb83fb0221319c85c2e9917d0189cd84e1e (git)
Affected: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 , < cafe9a27e22736d4a01b3933e36225f9857c7988 (git)
Affected: 0dd8a25f355b4df2d41c08df1716340854c7d4c5 , < 92e5995773774a3e70257e9c95ea03518268bea5 (git)
Affected: b06ad258e01389ca3ff13bc180f3fcd6a608f1cd (git)
Affected: c4b64011e458aa2b246cd4e42012cfd83d2d9a5c (git)
Affected: 9b5a29f0acefa3eb1dbe2fa302b393eeff64d933 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:43.044Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hnae3.c",
            "drivers/net/ethernet/hisilicon/hns3/hnae3.h",
            "drivers/net/ethernet/hisilicon/hns3/hns3_enet.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "622d92a67656e5c4d2d6ccac02d688ed995418c6",
              "status": "affected",
              "version": "d36b15e3e7b5937cb1f6ac590a85facc3a320642",
              "versionType": "git"
            },
            {
              "lessThan": "8c640dd3d900cc8988a39c007591f1deee776df4",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "e876522659012ef2e73834a0b9f1cbe3f74d5fad",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "b5a8bc47aa0a4aa8bca5466dfa2d12dbb5b3cd0c",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "82736bb83fb0221319c85c2e9917d0189cd84e1e",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "cafe9a27e22736d4a01b3933e36225f9857c7988",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "lessThan": "92e5995773774a3e70257e9c95ea03518268bea5",
              "status": "affected",
              "version": "0dd8a25f355b4df2d41c08df1716340854c7d4c5",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "b06ad258e01389ca3ff13bc180f3fcd6a608f1cd",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "c4b64011e458aa2b246cd4e42012cfd83d2d9a5c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "9b5a29f0acefa3eb1dbe2fa302b393eeff64d933",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/hisilicon/hns3/hnae3.c",
            "drivers/net/ethernet/hisilicon/hns3/hnae3.h",
            "drivers/net/ethernet/hisilicon/hns3/hns3_enet.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c",
            "drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "5.10.76",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.214",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.156",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: hns3: fix oops when unload drivers paralleling\n\nWhen unload hclge driver, it tries to disable sriov first for each\nae_dev node from hnae3_ae_dev_list. If user unloads hns3 driver at\nthe time, because it removes all the ae_dev nodes, and it may cause\noops.\n\nBut we can\u0027t simply use hnae3_common_lock for this. Because in the\nprocess flow of pci_disable_sriov(), it will trigger the remove flow\nof VF, which will also take hnae3_common_lock.\n\nTo fixes it, introduce a new mutex to protect the unload process."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:33.466Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/622d92a67656e5c4d2d6ccac02d688ed995418c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/8c640dd3d900cc8988a39c007591f1deee776df4"
        },
        {
          "url": "https://git.kernel.org/stable/c/e876522659012ef2e73834a0b9f1cbe3f74d5fad"
        },
        {
          "url": "https://git.kernel.org/stable/c/b5a8bc47aa0a4aa8bca5466dfa2d12dbb5b3cd0c"
        },
        {
          "url": "https://git.kernel.org/stable/c/82736bb83fb0221319c85c2e9917d0189cd84e1e"
        },
        {
          "url": "https://git.kernel.org/stable/c/cafe9a27e22736d4a01b3933e36225f9857c7988"
        },
        {
          "url": "https://git.kernel.org/stable/c/92e5995773774a3e70257e9c95ea03518268bea5"
        }
      ],
      "title": "net: hns3: fix oops when unload drivers paralleling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21802",
    "datePublished": "2025-02-27T20:00:56.292Z",
    "dateReserved": "2024-12-29T08:45:45.771Z",
    "dateUpdated": "2025-11-03T20:59:43.044Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23144 (GCVE-0-2025-23144)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-11-03 19:42

Title

backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()

Summary

In the Linux kernel, the following vulnerability has been resolved: backlight: led_bl: Hold led_access lock when calling led_sysfs_disable() Lockdep detects the following issue on led-backlight removal: [ 142.315935] ------------[ cut here ]------------ [ 142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80 ... [ 142.500725] Call trace: [ 142.503176] led_sysfs_enable+0x54/0x80 (P) [ 142.507370] led_bl_remove+0x80/0xa8 [led_bl] [ 142.511742] platform_remove+0x30/0x58 [ 142.515501] device_remove+0x54/0x90 ... Indeed, led_sysfs_enable() has to be called with the led_access lock held. Hold the lock when calling led_sysfs_disable().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/87d947a0607be384b…
	https://git.kernel.org/stable/c/74c7d67a3c305fc1f…
	https://git.kernel.org/stable/c/b447885ec9130cf86…
	https://git.kernel.org/stable/c/1c82f5a393d8b9a5c…
	https://git.kernel.org/stable/c/61a5c565fd2442d31…
	https://git.kernel.org/stable/c/11d128f7eacec276c…
	https://git.kernel.org/stable/c/b8ddf5107f5378944…
	https://git.kernel.org/stable/c/276822a00db3c1061…

Impacted products

Vendor

Product

Version

Linux

Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 87d947a0607be384bfe7bb0935884a711e35ca07 (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 74c7d67a3c305fc1fa03c32a838e8446fb7aee14 (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < b447885ec9130cf86f355e011dc6b94d6ccfb5b7 (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 1c82f5a393d8b9a5c1ea032413719862098afd4b (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 61a5c565fd2442d3128f3bab5f022658adc3a4e6 (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 11d128f7eacec276c75cf4712880a6307ca9c885 (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < b8ddf5107f53789448900f04fa220f34cd2f777e (git)
Affected: ae232e45acf9621f2c96b41ca3af006ac7552c33 , < 276822a00db3c1061382b41e72cafc09d6a0ec30 (git)

Linux

Affected: 5.6
Unaffected: 0 , < 5.6 (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.136 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:32.577Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/backlight/led_bl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "87d947a0607be384bfe7bb0935884a711e35ca07",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "74c7d67a3c305fc1fa03c32a838e8446fb7aee14",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "b447885ec9130cf86f355e011dc6b94d6ccfb5b7",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "1c82f5a393d8b9a5c1ea032413719862098afd4b",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "61a5c565fd2442d3128f3bab5f022658adc3a4e6",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "11d128f7eacec276c75cf4712880a6307ca9c885",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "b8ddf5107f53789448900f04fa220f34cd2f777e",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            },
            {
              "lessThan": "276822a00db3c1061382b41e72cafc09d6a0ec30",
              "status": "affected",
              "version": "ae232e45acf9621f2c96b41ca3af006ac7552c33",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/video/backlight/led_bl.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.6"
            },
            {
              "lessThan": "5.6",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.6",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbacklight: led_bl: Hold led_access lock when calling led_sysfs_disable()\n\nLockdep detects the following issue on led-backlight removal:\n  [  142.315935] ------------[ cut here ]------------\n  [  142.315954] WARNING: CPU: 2 PID: 292 at drivers/leds/led-core.c:455 led_sysfs_enable+0x54/0x80\n  ...\n  [  142.500725] Call trace:\n  [  142.503176]  led_sysfs_enable+0x54/0x80 (P)\n  [  142.507370]  led_bl_remove+0x80/0xa8 [led_bl]\n  [  142.511742]  platform_remove+0x30/0x58\n  [  142.515501]  device_remove+0x54/0x90\n  ...\n\nIndeed, led_sysfs_enable() has to be called with the led_access\nlock held.\n\nHold the lock when calling led_sysfs_disable()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:23.987Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/87d947a0607be384bfe7bb0935884a711e35ca07"
        },
        {
          "url": "https://git.kernel.org/stable/c/74c7d67a3c305fc1fa03c32a838e8446fb7aee14"
        },
        {
          "url": "https://git.kernel.org/stable/c/b447885ec9130cf86f355e011dc6b94d6ccfb5b7"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c82f5a393d8b9a5c1ea032413719862098afd4b"
        },
        {
          "url": "https://git.kernel.org/stable/c/61a5c565fd2442d3128f3bab5f022658adc3a4e6"
        },
        {
          "url": "https://git.kernel.org/stable/c/11d128f7eacec276c75cf4712880a6307ca9c885"
        },
        {
          "url": "https://git.kernel.org/stable/c/b8ddf5107f53789448900f04fa220f34cd2f777e"
        },
        {
          "url": "https://git.kernel.org/stable/c/276822a00db3c1061382b41e72cafc09d6a0ec30"
        }
      ],
      "title": "backlight: led_bl: Hold led_access lock when calling led_sysfs_disable()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23144",
    "datePublished": "2025-05-01T12:55:33.985Z",
    "dateReserved": "2025-01-11T14:28:41.512Z",
    "dateUpdated": "2025-11-03T19:42:32.577Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37889 (GCVE-0-2025-37889)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:45 – Updated: 2025-11-03 19:57

Title

ASoC: ops: Consistently treat platform_max as control value

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: ops: Consistently treat platform_max as control value This reverts commit 9bdd10d57a88 ("ASoC: ops: Shift tested values in snd_soc_put_volsw() by +min"), and makes some additional related updates. There are two ways the platform_max could be interpreted; the maximum register value, or the maximum value the control can be set to. The patch moved from treating the value as a control value to a register one. When the patch was applied it was technically correct as snd_soc_limit_volume() also used the register interpretation. However, even then most of the other usages treated platform_max as a control value, and snd_soc_limit_volume() has since been updated to also do so in commit fb9ad24485087 ("ASoC: ops: add correct range check for limiting volume"). That patch however, missed updating snd_soc_put_volsw() back to the control interpretation, and fixing snd_soc_info_volsw_range(). The control interpretation makes more sense as limiting is typically done from the machine driver, so it is appropriate to use the customer facing representation rather than the internal codec representation. Update all the code to consistently use this interpretation of platform_max. Finally, also add some comments to the soc_mixer_control struct to hopefully avoid further patches switching between the two approaches.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c402f184a053c8e7c…
	https://git.kernel.org/stable/c/694110bc2407a61f0…
	https://git.kernel.org/stable/c/544055329560d4b64…
	https://git.kernel.org/stable/c/a46a9371f8b9a0eef…
	https://git.kernel.org/stable/c/296c8295ae34045da…
	https://git.kernel.org/stable/c/0eba2a7e858907a74…

Impacted products

Vendor

Product

Version

Linux

Affected: c11fc224e58e7972ffd05b8f25e9b1d6a0b8d562 , < c402f184a053c8e7ca325e50f04bbbc1e4fee019 (git)
Affected: a50562146d6c7650029a115c96ef9aaa7648c344 , < 694110bc2407a61f02a770cbb5f39b51e4ec77c6 (git)
Affected: 395e52b7a1ad01e1b51adb09854a0aa5347428de , < 544055329560d4b64fe204fc6be325ebc24c72ca (git)
Affected: fb9ad24485087e0f00d84bee7a5914640b2b9024 , < a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6 (git)
Affected: fb9ad24485087e0f00d84bee7a5914640b2b9024 , < 296c8295ae34045da0214882628d49c1c060dd8a (git)
Affected: fb9ad24485087e0f00d84bee7a5914640b2b9024 , < 0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:00.804Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/sound/soc.h",
            "sound/soc/soc-ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c402f184a053c8e7ca325e50f04bbbc1e4fee019",
              "status": "affected",
              "version": "c11fc224e58e7972ffd05b8f25e9b1d6a0b8d562",
              "versionType": "git"
            },
            {
              "lessThan": "694110bc2407a61f02a770cbb5f39b51e4ec77c6",
              "status": "affected",
              "version": "a50562146d6c7650029a115c96ef9aaa7648c344",
              "versionType": "git"
            },
            {
              "lessThan": "544055329560d4b64fe204fc6be325ebc24c72ca",
              "status": "affected",
              "version": "395e52b7a1ad01e1b51adb09854a0aa5347428de",
              "versionType": "git"
            },
            {
              "lessThan": "a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            },
            {
              "lessThan": "296c8295ae34045da0214882628d49c1c060dd8a",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            },
            {
              "lessThan": "0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3",
              "status": "affected",
              "version": "fb9ad24485087e0f00d84bee7a5914640b2b9024",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/sound/soc.h",
            "sound/soc/soc-ops.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15.148",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "6.1.74",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: ops: Consistently treat platform_max as control value\n\nThis reverts commit 9bdd10d57a88 (\"ASoC: ops: Shift tested values in\nsnd_soc_put_volsw() by +min\"), and makes some additional related\nupdates.\n\nThere are two ways the platform_max could be interpreted; the maximum\nregister value, or the maximum value the control can be set to. The\npatch moved from treating the value as a control value to a register\none. When the patch was applied it was technically correct as\nsnd_soc_limit_volume() also used the register interpretation. However,\neven then most of the other usages treated platform_max as a\ncontrol value, and snd_soc_limit_volume() has since been updated to\nalso do so in commit fb9ad24485087 (\"ASoC: ops: add correct range\ncheck for limiting volume\"). That patch however, missed updating\nsnd_soc_put_volsw() back to the control interpretation, and fixing\nsnd_soc_info_volsw_range(). The control interpretation makes more\nsense as limiting is typically done from the machine driver, so it is\nappropriate to use the customer facing representation rather than the\ninternal codec representation. Update all the code to consistently use\nthis interpretation of platform_max.\n\nFinally, also add some comments to the soc_mixer_control struct to\nhopefully avoid further patches switching between the two approaches."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-10T14:09:43.898Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c402f184a053c8e7ca325e50f04bbbc1e4fee019"
        },
        {
          "url": "https://git.kernel.org/stable/c/694110bc2407a61f02a770cbb5f39b51e4ec77c6"
        },
        {
          "url": "https://git.kernel.org/stable/c/544055329560d4b64fe204fc6be325ebc24c72ca"
        },
        {
          "url": "https://git.kernel.org/stable/c/a46a9371f8b9a0eeff53a21e11ed3b65f52d9cf6"
        },
        {
          "url": "https://git.kernel.org/stable/c/296c8295ae34045da0214882628d49c1c060dd8a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0eba2a7e858907a746ba69cd002eb9eb4dbd7bf3"
        }
      ],
      "title": "ASoC: ops: Consistently treat platform_max as control value",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37889",
    "datePublished": "2025-05-09T06:45:50.868Z",
    "dateReserved": "2025-04-16T04:51:23.963Z",
    "dateUpdated": "2025-11-03T19:57:00.804Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21915 (GCVE-0-2025-21915)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2025-05-04 07:24

Title

cdx: Fix possible UAF error in driver_override_show()

Summary

In the Linux kernel, the following vulnerability has been resolved: cdx: Fix possible UAF error in driver_override_show() Fixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c This function driver_override_show() is part of DEVICE_ATTR_RW, which includes both driver_override_show() and driver_override_store(). These functions can be executed concurrently in sysfs. The driver_override_store() function uses driver_set_override() to update the driver_override value, and driver_set_override() internally locks the device (device_lock(dev)). If driver_override_show() reads cdx_dev->driver_override without locking, it could potentially access a freed pointer if driver_override_store() frees the string concurrently. This could lead to printing a kernel address, which is a security risk since DEVICE_ATTR can be read by all users. Additionally, a similar pattern is used in drivers/amba/bus.c, as well as many other bus drivers, where device_lock() is taken in the show function, and it has been working without issues. This potential bug was detected by our experimental static analysis tool, which analyzes locking APIs and paired functions to identify data races and atomicity violations.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d7b339bbc887bcfc1…
	https://git.kernel.org/stable/c/8473135f89c094943…
	https://git.kernel.org/stable/c/0439d541aa8d3444a…
	https://git.kernel.org/stable/c/91d44c1afc61a2fec…

Impacted products

Vendor

Product

Version

Linux

Affected: 2959ab247061e67485d83b6af8feb3761ec08cb9 , < d7b339bbc887bcfc1a5b620bfc70c6fbb8f733bf (git)
Affected: 2959ab247061e67485d83b6af8feb3761ec08cb9 , < 8473135f89c0949436a22adb05b8cece2fb3da91 (git)
Affected: 2959ab247061e67485d83b6af8feb3761ec08cb9 , < 0439d541aa8d3444ad41c39e39eb71acb57acde3 (git)
Affected: 2959ab247061e67485d83b6af8feb3761ec08cb9 , < 91d44c1afc61a2fec37a9c7a3485368309391e0b (git)

Linux

Affected: 6.4
Unaffected: 0 , < 6.4 (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21915",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-21T14:57:30.156471Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-21T15:01:46.061Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/cdx/cdx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d7b339bbc887bcfc1a5b620bfc70c6fbb8f733bf",
              "status": "affected",
              "version": "2959ab247061e67485d83b6af8feb3761ec08cb9",
              "versionType": "git"
            },
            {
              "lessThan": "8473135f89c0949436a22adb05b8cece2fb3da91",
              "status": "affected",
              "version": "2959ab247061e67485d83b6af8feb3761ec08cb9",
              "versionType": "git"
            },
            {
              "lessThan": "0439d541aa8d3444ad41c39e39eb71acb57acde3",
              "status": "affected",
              "version": "2959ab247061e67485d83b6af8feb3761ec08cb9",
              "versionType": "git"
            },
            {
              "lessThan": "91d44c1afc61a2fec37a9c7a3485368309391e0b",
              "status": "affected",
              "version": "2959ab247061e67485d83b6af8feb3761ec08cb9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/cdx/cdx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.4"
            },
            {
              "lessThan": "6.4",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncdx: Fix possible UAF error in driver_override_show()\n\nFixed a possible UAF problem in driver_override_show() in drivers/cdx/cdx.c\n\nThis function driver_override_show() is part of DEVICE_ATTR_RW, which\nincludes both driver_override_show() and driver_override_store().\nThese functions can be executed concurrently in sysfs.\n\nThe driver_override_store() function uses driver_set_override() to\nupdate the driver_override value, and driver_set_override() internally\nlocks the device (device_lock(dev)). If driver_override_show() reads\ncdx_dev-\u003edriver_override without locking, it could potentially access\na freed pointer if driver_override_store() frees the string\nconcurrently. This could lead to printing a kernel address, which is a\nsecurity risk since DEVICE_ATTR can be read by all users.\n\nAdditionally, a similar pattern is used in drivers/amba/bus.c, as well\nas many other bus drivers, where device_lock() is taken in the show\nfunction, and it has been working without issues.\n\nThis potential bug was detected by our experimental static analysis\ntool, which analyzes locking APIs and paired functions to identify\ndata races and atomicity violations."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:24:23.107Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d7b339bbc887bcfc1a5b620bfc70c6fbb8f733bf"
        },
        {
          "url": "https://git.kernel.org/stable/c/8473135f89c0949436a22adb05b8cece2fb3da91"
        },
        {
          "url": "https://git.kernel.org/stable/c/0439d541aa8d3444ad41c39e39eb71acb57acde3"
        },
        {
          "url": "https://git.kernel.org/stable/c/91d44c1afc61a2fec37a9c7a3485368309391e0b"
        }
      ],
      "title": "cdx: Fix possible UAF error in driver_override_show()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21915",
    "datePublished": "2025-04-01T15:40:52.019Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2025-05-04T07:24:23.107Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21944 (GCVE-0-2025-21944)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:41 – Updated: 2025-11-03 19:39

Title

ksmbd: fix bug on trap in smb2_lock

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix bug on trap in smb2_lock If lock count is greater than 1, flags could be old value. It should be checked with flags of smb_lock, not flags. It will cause bug-on trap from locks_free_lock in error handling routine.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/11e0e74e14f1832a9…
	https://git.kernel.org/stable/c/8994f0ce8259f812b…
	https://git.kernel.org/stable/c/dbcd7fdd86f775292…
	https://git.kernel.org/stable/c/2b70e3ac79eacbdf3…
	https://git.kernel.org/stable/c/e26e2d2e15daf1ab3…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 11e0e74e14f1832a95092f2c98ed3b99f57797ee (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 8994f0ce8259f812b4f4a681d8298c6ff682efaa (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < dbcd7fdd86f77529210fe8978154a81cd479844c (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 2b70e3ac79eacbdf32571f7af48dd81cdd957ca8 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < e26e2d2e15daf1ab33e0135caf2304a0cfa2744b (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:39:44.619Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "11e0e74e14f1832a95092f2c98ed3b99f57797ee",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "8994f0ce8259f812b4f4a681d8298c6ff682efaa",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "dbcd7fdd86f77529210fe8978154a81cd479844c",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "2b70e3ac79eacbdf32571f7af48dd81cdd957ca8",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "e26e2d2e15daf1ab33e0135caf2304a0cfa2744b",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/smb2pdu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix bug on trap in smb2_lock\n\nIf lock count is greater than 1, flags could be old value.\nIt should be checked with flags of smb_lock, not flags.\nIt will cause bug-on trap from locks_free_lock in error handling\nroutine."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:22.648Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/11e0e74e14f1832a95092f2c98ed3b99f57797ee"
        },
        {
          "url": "https://git.kernel.org/stable/c/8994f0ce8259f812b4f4a681d8298c6ff682efaa"
        },
        {
          "url": "https://git.kernel.org/stable/c/dbcd7fdd86f77529210fe8978154a81cd479844c"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b70e3ac79eacbdf32571f7af48dd81cdd957ca8"
        },
        {
          "url": "https://git.kernel.org/stable/c/e26e2d2e15daf1ab33e0135caf2304a0cfa2744b"
        }
      ],
      "title": "ksmbd: fix bug on trap in smb2_lock",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21944",
    "datePublished": "2025-04-01T15:41:07.977Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-11-03T19:39:44.619Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22028 (GCVE-0-2025-22028)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:11 – Updated: 2025-05-26 05:16

Title

media: vimc: skip .s_stream() for stopped entities

Summary

In the Linux kernel, the following vulnerability has been resolved: media: vimc: skip .s_stream() for stopped entities Syzbot reported [1] a warning prompted by a check in call_s_stream() that checks whether .s_stream() operation is warranted for unstarted or stopped subdevs. Add a simple fix in vimc_streamer_pipeline_terminate() ensuring that entities skip a call to .s_stream() unless they have been previously properly started. [1] Syzbot report: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460 Modules linked in: CPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0 ... Call Trace: <TASK> vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62 vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline] vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203 vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256 vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789 vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348 vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline] vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118 __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122 video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463 v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:906 [inline] __se_sys_ioctl fs/ioctl.c:892 [inline] __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f RIP: 0033:0x7f2b85c01b19 ...

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/a505075730d23ccc1…
	https://git.kernel.org/stable/c/845e9286ff99ee88c…
	https://git.kernel.org/stable/c/6f6064dab4dcfb7e3…
	https://git.kernel.org/stable/c/7a58d4c4cf8ff60ab…
	https://git.kernel.org/stable/c/36cef585e2a31e4dd…

Impacted products

Vendor

Product

Version

Linux

Affected: adc589d2a20808fb99d46a78175cd023f2040338 , < a505075730d23ccc19fc4ac382a0ed73b630c057 (git)
Affected: adc589d2a20808fb99d46a78175cd023f2040338 , < 845e9286ff99ee88cfdeb2b748f730003a512190 (git)
Affected: adc589d2a20808fb99d46a78175cd023f2040338 , < 6f6064dab4dcfb7e34a395040a0c9dc22cc8765d (git)
Affected: adc589d2a20808fb99d46a78175cd023f2040338 , < 7a58d4c4cf8ff60ab1f93399deefaf6057da91c7 (git)
Affected: adc589d2a20808fb99d46a78175cd023f2040338 , < 36cef585e2a31e4ddf33a004b0584a7a572246de (git)
Affected: 77fbb561bb09f56877dd84318212da393909975f (git)
Affected: 73236bf581e96eb48808fea522351ed81e24c9cc (git)
Affected: e7ae48ae47227c0302b9f4b15a5bf45934a55673 (git)

Linux

Affected: 5.1
Unaffected: 0 , < 5.1 (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vimc/vimc-streamer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "a505075730d23ccc19fc4ac382a0ed73b630c057",
              "status": "affected",
              "version": "adc589d2a20808fb99d46a78175cd023f2040338",
              "versionType": "git"
            },
            {
              "lessThan": "845e9286ff99ee88cfdeb2b748f730003a512190",
              "status": "affected",
              "version": "adc589d2a20808fb99d46a78175cd023f2040338",
              "versionType": "git"
            },
            {
              "lessThan": "6f6064dab4dcfb7e34a395040a0c9dc22cc8765d",
              "status": "affected",
              "version": "adc589d2a20808fb99d46a78175cd023f2040338",
              "versionType": "git"
            },
            {
              "lessThan": "7a58d4c4cf8ff60ab1f93399deefaf6057da91c7",
              "status": "affected",
              "version": "adc589d2a20808fb99d46a78175cd023f2040338",
              "versionType": "git"
            },
            {
              "lessThan": "36cef585e2a31e4ddf33a004b0584a7a572246de",
              "status": "affected",
              "version": "adc589d2a20808fb99d46a78175cd023f2040338",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "77fbb561bb09f56877dd84318212da393909975f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "73236bf581e96eb48808fea522351ed81e24c9cc",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e7ae48ae47227c0302b9f4b15a5bf45934a55673",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/media/test-drivers/vimc/vimc-streamer.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.1"
            },
            {
              "lessThan": "5.1",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.1",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.108",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.0.4",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmedia: vimc: skip .s_stream() for stopped entities\n\nSyzbot reported [1] a warning prompted by a check in call_s_stream()\nthat checks whether .s_stream() operation is warranted for unstarted\nor stopped subdevs.\n\nAdd a simple fix in vimc_streamer_pipeline_terminate() ensuring that\nentities skip a call to .s_stream() unless they have been previously\nproperly started.\n\n[1] Syzbot report:\n------------[ cut here ]------------\nWARNING: CPU: 0 PID: 5933 at drivers/media/v4l2-core/v4l2-subdev.c:460 call_s_stream+0x2df/0x350 drivers/media/v4l2-core/v4l2-subdev.c:460\nModules linked in:\nCPU: 0 UID: 0 PID: 5933 Comm: syz-executor330 Not tainted 6.13.0-rc2-syzkaller-00362-g2d8308bf5b67 #0\n...\nCall Trace:\n \u003cTASK\u003e\n vimc_streamer_pipeline_terminate+0x218/0x320 drivers/media/test-drivers/vimc/vimc-streamer.c:62\n vimc_streamer_pipeline_init drivers/media/test-drivers/vimc/vimc-streamer.c:101 [inline]\n vimc_streamer_s_stream+0x650/0x9a0 drivers/media/test-drivers/vimc/vimc-streamer.c:203\n vimc_capture_start_streaming+0xa1/0x130 drivers/media/test-drivers/vimc/vimc-capture.c:256\n vb2_start_streaming+0x15f/0x5a0 drivers/media/common/videobuf2/videobuf2-core.c:1789\n vb2_core_streamon+0x2a7/0x450 drivers/media/common/videobuf2/videobuf2-core.c:2348\n vb2_streamon drivers/media/common/videobuf2/videobuf2-v4l2.c:875 [inline]\n vb2_ioctl_streamon+0xf4/0x170 drivers/media/common/videobuf2/videobuf2-v4l2.c:1118\n __video_do_ioctl+0xaf0/0xf00 drivers/media/v4l2-core/v4l2-ioctl.c:3122\n video_usercopy+0x4d2/0x1620 drivers/media/v4l2-core/v4l2-ioctl.c:3463\n v4l2_ioctl+0x1ba/0x250 drivers/media/v4l2-core/v4l2-dev.c:366\n vfs_ioctl fs/ioctl.c:51 [inline]\n __do_sys_ioctl fs/ioctl.c:906 [inline]\n __se_sys_ioctl fs/ioctl.c:892 [inline]\n __x64_sys_ioctl+0x190/0x200 fs/ioctl.c:892\n do_syscall_x64 arch/x86/entry/common.c:52 [inline]\n do_syscall_64+0xcd/0x250 arch/x86/entry/common.c:83\n entry_SYSCALL_64_after_hwframe+0x77/0x7f\nRIP: 0033:0x7f2b85c01b19\n..."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:16:55.842Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/a505075730d23ccc19fc4ac382a0ed73b630c057"
        },
        {
          "url": "https://git.kernel.org/stable/c/845e9286ff99ee88cfdeb2b748f730003a512190"
        },
        {
          "url": "https://git.kernel.org/stable/c/6f6064dab4dcfb7e34a395040a0c9dc22cc8765d"
        },
        {
          "url": "https://git.kernel.org/stable/c/7a58d4c4cf8ff60ab1f93399deefaf6057da91c7"
        },
        {
          "url": "https://git.kernel.org/stable/c/36cef585e2a31e4ddf33a004b0584a7a572246de"
        }
      ],
      "title": "media: vimc: skip .s_stream() for stopped entities",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22028",
    "datePublished": "2025-04-16T14:11:48.913Z",
    "dateReserved": "2024-12-29T08:45:45.808Z",
    "dateUpdated": "2025-05-26T05:16:55.842Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37941 (GCVE-0-2025-37941)

Vulnerability from cvelistv5 – Published: 2025-05-20 15:58 – Updated: 2025-05-26 05:24

Title

ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()

Summary

In the Linux kernel, the following vulnerability has been resolved: ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe() When snd_soc_dapm_new_controls() or snd_soc_dapm_add_routes() fails, wcd937x_soc_codec_probe() returns without releasing 'wcd937x->clsh_info', which is allocated by wcd_clsh_ctrl_alloc. Add wcd_clsh_ctrl_free() to prevent potential memory leak.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/acadb2e2b3c5b9977…
	https://git.kernel.org/stable/c/b573e04116fd33b91…
	https://git.kernel.org/stable/c/aafb5325aca3e806b…
	https://git.kernel.org/stable/c/3e330acf4efd63876…

Impacted products

Vendor

Product

Version

Linux

Affected: 313e978df7fc38b9e949ac5933d0d9d56d5e8a9c , < acadb2e2b3c5b9977a843a3a94fece9bdcf6aea1 (git)
Affected: 313e978df7fc38b9e949ac5933d0d9d56d5e8a9c , < b573e04116fd33b9143fa276bbab2f0afad0a1ae (git)
Affected: 313e978df7fc38b9e949ac5933d0d9d56d5e8a9c , < aafb5325aca3e806b3ea3707402189263473d257 (git)
Affected: 313e978df7fc38b9e949ac5933d0d9d56d5e8a9c , < 3e330acf4efd63876d673c046cd073a1d4ed57a8 (git)

Linux

Affected: 6.11
Unaffected: 0 , < 6.11 (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/codecs/wcd937x.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "acadb2e2b3c5b9977a843a3a94fece9bdcf6aea1",
              "status": "affected",
              "version": "313e978df7fc38b9e949ac5933d0d9d56d5e8a9c",
              "versionType": "git"
            },
            {
              "lessThan": "b573e04116fd33b9143fa276bbab2f0afad0a1ae",
              "status": "affected",
              "version": "313e978df7fc38b9e949ac5933d0d9d56d5e8a9c",
              "versionType": "git"
            },
            {
              "lessThan": "aafb5325aca3e806b3ea3707402189263473d257",
              "status": "affected",
              "version": "313e978df7fc38b9e949ac5933d0d9d56d5e8a9c",
              "versionType": "git"
            },
            {
              "lessThan": "3e330acf4efd63876d673c046cd073a1d4ed57a8",
              "status": "affected",
              "version": "313e978df7fc38b9e949ac5933d0d9d56d5e8a9c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "sound/soc/codecs/wcd937x.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.11"
            },
            {
              "lessThan": "6.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.11",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()\n\nWhen snd_soc_dapm_new_controls() or snd_soc_dapm_add_routes() fails,\nwcd937x_soc_codec_probe() returns without releasing \u0027wcd937x-\u003eclsh_info\u0027,\nwhich is allocated by wcd_clsh_ctrl_alloc. Add wcd_clsh_ctrl_free()\nto prevent potential memory leak."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:24:11.521Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/acadb2e2b3c5b9977a843a3a94fece9bdcf6aea1"
        },
        {
          "url": "https://git.kernel.org/stable/c/b573e04116fd33b9143fa276bbab2f0afad0a1ae"
        },
        {
          "url": "https://git.kernel.org/stable/c/aafb5325aca3e806b3ea3707402189263473d257"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e330acf4efd63876d673c046cd073a1d4ed57a8"
        }
      ],
      "title": "ASoC: codecs: wcd937x: fix a potential memory leak in wcd937x_soc_codec_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37941",
    "datePublished": "2025-05-20T15:58:18.275Z",
    "dateReserved": "2025-04-16T04:51:23.971Z",
    "dateUpdated": "2025-05-26T05:24:11.521Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37942 (GCVE-0-2025-37942)

Vulnerability from cvelistv5 – Published: 2025-05-20 15:58 – Updated: 2026-01-02 15:40

This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:40:15.841Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "rejectedReasons": [
        {
          "lang": "en",
          "value": "This CVE ID has been rejected or withdrawn by its CVE Numbering Authority."
        }
      ]
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37942",
    "datePublished": "2025-05-20T15:58:18.935Z",
    "dateRejected": "2026-01-02T15:40:15.841Z",
    "dateReserved": "2025-04-16T04:51:23.971Z",
    "dateUpdated": "2026-01-02T15:40:15.841Z",
    "state": "REJECTED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22061 (GCVE-0-2025-22061)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-05-26 05:17

Title

net: airoha: Fix qid report in airoha_tc_get_htb_get_leaf_queue()

Summary

In the Linux kernel, the following vulnerability has been resolved: net: airoha: Fix qid report in airoha_tc_get_htb_get_leaf_queue() Fix the following kernel warning deleting HTB offloaded leafs and/or root HTB qdisc in airoha_eth driver properly reporting qid in airoha_tc_get_htb_get_leaf_queue routine. $tc qdisc replace dev eth1 root handle 10: htb offload $tc class add dev eth1 arent 10: classid 10:4 htb rate 100mbit ceil 100mbit $tc qdisc replace dev eth1 parent 10:4 handle 4: ets bands 8 \ quanta 1514 3028 4542 6056 7570 9084 10598 12112 $tc qdisc del dev eth1 root [ 55.827864] ------------[ cut here ]------------ [ 55.832493] WARNING: CPU: 3 PID: 2678 at 0xffffffc0798695a4 [ 55.956510] CPU: 3 PID: 2678 Comm: tc Tainted: G O 6.6.71 #0 [ 55.963557] Hardware name: Airoha AN7581 Evaluation Board (DT) [ 55.969383] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--) [ 55.976344] pc : 0xffffffc0798695a4 [ 55.979851] lr : 0xffffffc079869a20 [ 55.983358] sp : ffffffc0850536a0 [ 55.986665] x29: ffffffc0850536a0 x28: 0000000000000024 x27: 0000000000000001 [ 55.993800] x26: 0000000000000000 x25: ffffff8008b19000 x24: ffffff800222e800 [ 56.000935] x23: 0000000000000001 x22: 0000000000000000 x21: ffffff8008b19000 [ 56.008071] x20: ffffff8002225800 x19: ffffff800379d000 x18: 0000000000000000 [ 56.015206] x17: ffffffbf9ea59000 x16: ffffffc080018000 x15: 0000000000000000 [ 56.022342] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000001 [ 56.029478] x11: ffffffc081471008 x10: ffffffc081575a98 x9 : 0000000000000000 [ 56.036614] x8 : ffffffc08167fd40 x7 : ffffffc08069e104 x6 : ffffff8007f86000 [ 56.043748] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000001 [ 56.050884] x2 : 0000000000000000 x1 : 0000000000000250 x0 : ffffff800222c000 [ 56.058020] Call trace: [ 56.060459] 0xffffffc0798695a4 [ 56.063618] 0xffffffc079869a20 [ 56.066777] __qdisc_destroy+0x40/0xa0 [ 56.070528] qdisc_put+0x54/0x6c [ 56.073748] qdisc_graft+0x41c/0x648 [ 56.077324] tc_get_qdisc+0x168/0x2f8 [ 56.080978] rtnetlink_rcv_msg+0x230/0x330 [ 56.085076] netlink_rcv_skb+0x5c/0x128 [ 56.088913] rtnetlink_rcv+0x14/0x1c [ 56.092490] netlink_unicast+0x1e0/0x2c8 [ 56.096413] netlink_sendmsg+0x198/0x3c8 [ 56.100337] ____sys_sendmsg+0x1c4/0x274 [ 56.104261] ___sys_sendmsg+0x7c/0xc0 [ 56.107924] __sys_sendmsg+0x44/0x98 [ 56.111492] __arm64_sys_sendmsg+0x20/0x28 [ 56.115580] invoke_syscall.constprop.0+0x58/0xfc [ 56.120285] do_el0_svc+0x3c/0xbc [ 56.123592] el0_svc+0x18/0x4c [ 56.126647] el0t_64_sync_handler+0x118/0x124 [ 56.131005] el0t_64_sync+0x150/0x154 [ 56.134660] ---[ end trace 0000000000000000 ]---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d7f76197e49e46a8c…
	https://git.kernel.org/stable/c/57b290d97c6150774…

Impacted products

Vendor

Product

Version

Linux

Affected: ef1ca9271313b4ea7b03de69576aacef1e78f381 , < d7f76197e49e46a8c082a6fededaa8a07e69a860 (git)
Affected: ef1ca9271313b4ea7b03de69576aacef1e78f381 , < 57b290d97c6150774bf929117ca737a26d8fc33d (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/airoha/airoha_eth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d7f76197e49e46a8c082a6fededaa8a07e69a860",
              "status": "affected",
              "version": "ef1ca9271313b4ea7b03de69576aacef1e78f381",
              "versionType": "git"
            },
            {
              "lessThan": "57b290d97c6150774bf929117ca737a26d8fc33d",
              "status": "affected",
              "version": "ef1ca9271313b4ea7b03de69576aacef1e78f381",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/airoha/airoha_eth.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet: airoha: Fix qid report in airoha_tc_get_htb_get_leaf_queue()\n\nFix the following kernel warning deleting HTB offloaded leafs and/or root\nHTB qdisc in airoha_eth driver properly reporting qid in\nairoha_tc_get_htb_get_leaf_queue routine.\n\n$tc qdisc replace dev eth1 root handle 10: htb offload\n$tc class add dev eth1 arent 10: classid 10:4 htb rate 100mbit ceil 100mbit\n$tc qdisc replace dev eth1 parent 10:4 handle 4: ets bands 8 \\\n quanta 1514 3028 4542 6056 7570 9084 10598 12112\n$tc qdisc del dev eth1 root\n\n[   55.827864] ------------[ cut here ]------------\n[   55.832493] WARNING: CPU: 3 PID: 2678 at 0xffffffc0798695a4\n[   55.956510] CPU: 3 PID: 2678 Comm: tc Tainted: G           O 6.6.71 #0\n[   55.963557] Hardware name: Airoha AN7581 Evaluation Board (DT)\n[   55.969383] pstate: 20400005 (nzCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)\n[   55.976344] pc : 0xffffffc0798695a4\n[   55.979851] lr : 0xffffffc079869a20\n[   55.983358] sp : ffffffc0850536a0\n[   55.986665] x29: ffffffc0850536a0 x28: 0000000000000024 x27: 0000000000000001\n[   55.993800] x26: 0000000000000000 x25: ffffff8008b19000 x24: ffffff800222e800\n[   56.000935] x23: 0000000000000001 x22: 0000000000000000 x21: ffffff8008b19000\n[   56.008071] x20: ffffff8002225800 x19: ffffff800379d000 x18: 0000000000000000\n[   56.015206] x17: ffffffbf9ea59000 x16: ffffffc080018000 x15: 0000000000000000\n[   56.022342] x14: 0000000000000000 x13: 0000000000000000 x12: 0000000000000001\n[   56.029478] x11: ffffffc081471008 x10: ffffffc081575a98 x9 : 0000000000000000\n[   56.036614] x8 : ffffffc08167fd40 x7 : ffffffc08069e104 x6 : ffffff8007f86000\n[   56.043748] x5 : 0000000000000000 x4 : 0000000000000000 x3 : 0000000000000001\n[   56.050884] x2 : 0000000000000000 x1 : 0000000000000250 x0 : ffffff800222c000\n[   56.058020] Call trace:\n[   56.060459]  0xffffffc0798695a4\n[   56.063618]  0xffffffc079869a20\n[   56.066777]  __qdisc_destroy+0x40/0xa0\n[   56.070528]  qdisc_put+0x54/0x6c\n[   56.073748]  qdisc_graft+0x41c/0x648\n[   56.077324]  tc_get_qdisc+0x168/0x2f8\n[   56.080978]  rtnetlink_rcv_msg+0x230/0x330\n[   56.085076]  netlink_rcv_skb+0x5c/0x128\n[   56.088913]  rtnetlink_rcv+0x14/0x1c\n[   56.092490]  netlink_unicast+0x1e0/0x2c8\n[   56.096413]  netlink_sendmsg+0x198/0x3c8\n[   56.100337]  ____sys_sendmsg+0x1c4/0x274\n[   56.104261]  ___sys_sendmsg+0x7c/0xc0\n[   56.107924]  __sys_sendmsg+0x44/0x98\n[   56.111492]  __arm64_sys_sendmsg+0x20/0x28\n[   56.115580]  invoke_syscall.constprop.0+0x58/0xfc\n[   56.120285]  do_el0_svc+0x3c/0xbc\n[   56.123592]  el0_svc+0x18/0x4c\n[   56.126647]  el0t_64_sync_handler+0x118/0x124\n[   56.131005]  el0t_64_sync+0x150/0x154\n[   56.134660] ---[ end trace 0000000000000000 ]---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:37.014Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d7f76197e49e46a8c082a6fededaa8a07e69a860"
        },
        {
          "url": "https://git.kernel.org/stable/c/57b290d97c6150774bf929117ca737a26d8fc33d"
        }
      ],
      "title": "net: airoha: Fix qid report in airoha_tc_get_htb_get_leaf_queue()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22061",
    "datePublished": "2025-04-16T14:12:16.924Z",
    "dateReserved": "2024-12-29T08:45:45.812Z",
    "dateUpdated": "2025-05-26T05:17:37.014Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21673 (GCVE-0-2025-21673)

Vulnerability from cvelistv5 – Published: 2025-01-31 11:25 – Updated: 2025-10-01 19:57

Title

smb: client: fix double free of TCP_Server_Info::hostname

Summary

In the Linux kernel, the following vulnerability has been resolved: smb: client: fix double free of TCP_Server_Info::hostname When shutting down the server in cifs_put_tcp_session(), cifsd thread might be reconnecting to multiple DFS targets before it realizes it should exit the loop, so @server->hostname can't be freed as long as cifsd thread isn't done. Otherwise the following can happen: RIP: 0010:__slab_free+0x223/0x3c0 Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89 1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff <0f> 0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80 RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246 RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068 RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400 RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000 R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500 R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068 FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000) 000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4: PKRU: 55555554 Call Trace: <TASK> ? show_trace_log_lvl+0x1c4/0x2df ? show_trace_log_lvl+0x1c4/0x2df ? __reconnect_target_unlocked+0x3e/0x160 [cifs] ? __die_body.cold+0x8/0xd ? die+0x2b/0x50 ? do_trap+0xce/0x120 ? __slab_free+0x223/0x3c0 ? do_error_trap+0x65/0x80 ? __slab_free+0x223/0x3c0 ? exc_invalid_op+0x4e/0x70 ? __slab_free+0x223/0x3c0 ? asm_exc_invalid_op+0x16/0x20 ? __slab_free+0x223/0x3c0 ? extract_hostname+0x5c/0xa0 [cifs] ? extract_hostname+0x5c/0xa0 [cifs] ? __kmalloc+0x4b/0x140 __reconnect_target_unlocked+0x3e/0x160 [cifs] reconnect_dfs_server+0x145/0x430 [cifs] cifs_handle_standard+0x1ad/0x1d0 [cifs] cifs_demultiplex_thread+0x592/0x730 [cifs] ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs] kthread+0xdd/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x29/0x50 </TASK>

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-415 - Double Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/1ea68070338518a1d…
	https://git.kernel.org/stable/c/a2be5f2ba34d0c6d5…
	https://git.kernel.org/stable/c/fa2f9906a7b333ba7…

Impacted products

Vendor

Product

Version

Linux

Affected: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541 , < 1ea68070338518a1d31ce71e6abfe1b30001b27a (git)
Affected: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541 , < a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a (git)
Affected: 7be3248f313930ff3d3436d4e9ddbe9fccc1f541 , < fa2f9906a7b333ba757a7dbae0713d8a5396186e (git)
Affected: 49f933bb3016269dc50074eac5f6033d127644f1 (git)
Affected: 1c35a216ef77db708178ca225d796271f2f60a7a (git)

Linux

Affected: 5.16
Unaffected: 0 , < 5.16 (semver)
Unaffected: 6.6.74 , ≤ 6.6.* (semver)
Unaffected: 6.12.11 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21673",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:52:08.291891Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-415",
                "description": "CWE-415 Double Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:57:12.012Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/connect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "1ea68070338518a1d31ce71e6abfe1b30001b27a",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "lessThan": "a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "lessThan": "fa2f9906a7b333ba757a7dbae0713d8a5396186e",
              "status": "affected",
              "version": "7be3248f313930ff3d3436d4e9ddbe9fccc1f541",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "49f933bb3016269dc50074eac5f6033d127644f1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1c35a216ef77db708178ca225d796271f2f60a7a",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/connect.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.16"
            },
            {
              "lessThan": "5.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.74",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.13",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.74",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.11",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13",
                  "versionStartIncluding": "5.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.14.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.15.3",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsmb: client: fix double free of TCP_Server_Info::hostname\n\nWhen shutting down the server in cifs_put_tcp_session(), cifsd thread\nmight be reconnecting to multiple DFS targets before it realizes it\nshould exit the loop, so @server-\u003ehostname can\u0027t be freed as long as\ncifsd thread isn\u0027t done.  Otherwise the following can happen:\n\n  RIP: 0010:__slab_free+0x223/0x3c0\n  Code: 5e 41 5f c3 cc cc cc cc 4c 89 de 4c 89 cf 44 89 44 24 08 4c 89\n  1c 24 e8 fb cf 8e 00 44 8b 44 24 08 4c 8b 1c 24 e9 5f fe ff ff \u003c0f\u003e\n  0b 41 f7 45 08 00 0d 21 00 0f 85 2d ff ff ff e9 1f ff ff ff 80\n  RSP: 0018:ffffb26180dbfd08 EFLAGS: 00010246\n  RAX: ffff8ea34728e510 RBX: ffff8ea34728e500 RCX: 0000000000800068\n  RDX: 0000000000800068 RSI: 0000000000000000 RDI: ffff8ea340042400\n  RBP: ffffe112041ca380 R08: 0000000000000001 R09: 0000000000000000\n  R10: 6170732e31303000 R11: 70726f632e786563 R12: ffff8ea34728e500\n  R13: ffff8ea340042400 R14: ffff8ea34728e500 R15: 0000000000800068\n  FS: 0000000000000000(0000) GS:ffff8ea66fd80000(0000)\n  000000\n  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n  CR2: 00007ffc25376080 CR3: 000000012a2ba001 CR4:\n  PKRU: 55555554\n  Call Trace:\n   \u003cTASK\u003e\n   ? show_trace_log_lvl+0x1c4/0x2df\n   ? show_trace_log_lvl+0x1c4/0x2df\n   ? __reconnect_target_unlocked+0x3e/0x160 [cifs]\n   ? __die_body.cold+0x8/0xd\n   ? die+0x2b/0x50\n   ? do_trap+0xce/0x120\n   ? __slab_free+0x223/0x3c0\n   ? do_error_trap+0x65/0x80\n   ? __slab_free+0x223/0x3c0\n   ? exc_invalid_op+0x4e/0x70\n   ? __slab_free+0x223/0x3c0\n   ? asm_exc_invalid_op+0x16/0x20\n   ? __slab_free+0x223/0x3c0\n   ? extract_hostname+0x5c/0xa0 [cifs]\n   ? extract_hostname+0x5c/0xa0 [cifs]\n   ? __kmalloc+0x4b/0x140\n   __reconnect_target_unlocked+0x3e/0x160 [cifs]\n   reconnect_dfs_server+0x145/0x430 [cifs]\n   cifs_handle_standard+0x1ad/0x1d0 [cifs]\n   cifs_demultiplex_thread+0x592/0x730 [cifs]\n   ? __pfx_cifs_demultiplex_thread+0x10/0x10 [cifs]\n   kthread+0xdd/0x100\n   ? __pfx_kthread+0x10/0x10\n   ret_from_fork+0x29/0x50\n   \u003c/TASK\u003e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T13:06:14.933Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/1ea68070338518a1d31ce71e6abfe1b30001b27a"
        },
        {
          "url": "https://git.kernel.org/stable/c/a2be5f2ba34d0c6d5ef2624b24e3d852561fcd6a"
        },
        {
          "url": "https://git.kernel.org/stable/c/fa2f9906a7b333ba757a7dbae0713d8a5396186e"
        }
      ],
      "title": "smb: client: fix double free of TCP_Server_Info::hostname",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21673",
    "datePublished": "2025-01-31T11:25:35.922Z",
    "dateReserved": "2024-12-29T08:45:45.736Z",
    "dateUpdated": "2025-10-01T19:57:12.012Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37819 (GCVE-0-2025-37819)

Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2025-11-03 19:55

Title

irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()

Summary

In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode() With ACPI in place, gicv2m_get_fwnode() is registered with the pci subsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime during a PCI host bridge probe. But, the call back is wrongly marked as __init, causing it to be freed, while being registered with the PCI subsystem and could trigger: Unable to handle kernel paging request at virtual address ffff8000816c0400 gicv2m_get_fwnode+0x0/0x58 (P) pci_set_bus_msi_domain+0x74/0x88 pci_register_host_bridge+0x194/0x548 This is easily reproducible on a Juno board with ACPI boot. Retain the function for later use.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0c241dedc43a03659…
	https://git.kernel.org/stable/c/b63de43af8d215b04…
	https://git.kernel.org/stable/c/f95659affee301464…
	https://git.kernel.org/stable/c/dc0d654eb4179b06d…
	https://git.kernel.org/stable/c/2f2803e4b5e4df2b0…
	https://git.kernel.org/stable/c/3939d6f29d34cdb60…
	https://git.kernel.org/stable/c/47bee0081b483b077…
	https://git.kernel.org/stable/c/3318dc299b072a051…

Impacted products

Vendor

Product

Version

Linux

Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 0c241dedc43a036599757cd08f356253fa3e5014 (git)
Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < b63de43af8d215b0499eac28b2caa4439183efc1 (git)
Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < f95659affee301464f0d058d528d96b35b452da8 (git)
Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < dc0d654eb4179b06d3206e4396d072108b9ba082 (git)
Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 2f2803e4b5e4df2b08d378deaab78b1681ef9b30 (git)
Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 3939d6f29d34cdb60e3f68b76e39e00a964a1d51 (git)
Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 47bee0081b483b077c7560bc5358ad101f89c8ef (git)
Affected: 0644b3daca28dcb320373ae20069c269c9386304 , < 3318dc299b072a0511d6dfd8367f3304fb6d9827 (git)

Linux

Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 5.4.294 , ≤ 5.4.* (semver)
Unaffected: 5.10.238 , ≤ 5.10.* (semver)
Unaffected: 5.15.182 , ≤ 5.15.* (semver)
Unaffected: 6.1.138 , ≤ 6.1.* (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:52.082Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00010.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/irqchip/irq-gic-v2m.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c241dedc43a036599757cd08f356253fa3e5014",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "b63de43af8d215b0499eac28b2caa4439183efc1",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "f95659affee301464f0d058d528d96b35b452da8",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "dc0d654eb4179b06d3206e4396d072108b9ba082",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "2f2803e4b5e4df2b08d378deaab78b1681ef9b30",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "3939d6f29d34cdb60e3f68b76e39e00a964a1d51",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "47bee0081b483b077c7560bc5358ad101f89c8ef",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            },
            {
              "lessThan": "3318dc299b072a0511d6dfd8367f3304fb6d9827",
              "status": "affected",
              "version": "0644b3daca28dcb320373ae20069c269c9386304",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/irqchip/irq-gic-v2m.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.294",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.238",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.182",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.138",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.294",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.238",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.182",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.138",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nirqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()\n\nWith ACPI in place, gicv2m_get_fwnode() is registered with the pci\nsubsystem as pci_msi_get_fwnode_cb(), which may get invoked at runtime\nduring a PCI host bridge probe. But, the call back is wrongly marked as\n__init, causing it to be freed, while being registered with the PCI\nsubsystem and could trigger:\n\n Unable to handle kernel paging request at virtual address ffff8000816c0400\n  gicv2m_get_fwnode+0x0/0x58 (P)\n  pci_set_bus_msi_domain+0x74/0x88\n  pci_register_host_bridge+0x194/0x548\n\nThis is easily reproducible on a Juno board with ACPI boot.\n\nRetain the function for later use."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-04T12:57:23.467Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c241dedc43a036599757cd08f356253fa3e5014"
        },
        {
          "url": "https://git.kernel.org/stable/c/b63de43af8d215b0499eac28b2caa4439183efc1"
        },
        {
          "url": "https://git.kernel.org/stable/c/f95659affee301464f0d058d528d96b35b452da8"
        },
        {
          "url": "https://git.kernel.org/stable/c/dc0d654eb4179b06d3206e4396d072108b9ba082"
        },
        {
          "url": "https://git.kernel.org/stable/c/2f2803e4b5e4df2b08d378deaab78b1681ef9b30"
        },
        {
          "url": "https://git.kernel.org/stable/c/3939d6f29d34cdb60e3f68b76e39e00a964a1d51"
        },
        {
          "url": "https://git.kernel.org/stable/c/47bee0081b483b077c7560bc5358ad101f89c8ef"
        },
        {
          "url": "https://git.kernel.org/stable/c/3318dc299b072a0511d6dfd8367f3304fb6d9827"
        }
      ],
      "title": "irqchip/gic-v2m: Prevent use after free of gicv2m_get_fwnode()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37819",
    "datePublished": "2025-05-08T06:26:13.975Z",
    "dateReserved": "2025-04-16T04:51:23.947Z",
    "dateUpdated": "2025-11-03T19:55:52.082Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21955 (GCVE-0-2025-21955)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2025-05-04 07:25

Title

ksmbd: prevent connection release during oplock break notification

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent connection release during oplock break notification ksmbd_work could be freed when after connection release. Increment r_count of ksmbd_conn to indicate that requests are not finished yet and to not release the connection.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/09aeab68033161cb5…
	https://git.kernel.org/stable/c/a4261bbc33fbf99b9…
	https://git.kernel.org/stable/c/f17d1c63a76b0fe8e…
	https://git.kernel.org/stable/c/3aa660c059240e0c7…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 09aeab68033161cb54f194da93e51a11aee6144b (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < a4261bbc33fbf99b99c80aa3a2c5097611802980 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < f17d1c63a76b0fe8e9c78023a86507a3a6d62cfa (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 3aa660c059240e0c795217182cf7df32909dd917 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/connection.c",
            "fs/smb/server/connection.h",
            "fs/smb/server/oplock.c",
            "fs/smb/server/server.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "09aeab68033161cb54f194da93e51a11aee6144b",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "a4261bbc33fbf99b99c80aa3a2c5097611802980",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "f17d1c63a76b0fe8e9c78023a86507a3a6d62cfa",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "3aa660c059240e0c795217182cf7df32909dd917",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/connection.c",
            "fs/smb/server/connection.h",
            "fs/smb/server/oplock.c",
            "fs/smb/server/server.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: prevent connection release during oplock break notification\n\nksmbd_work could be freed when after connection release.\nIncrement r_count of ksmbd_conn to indicate that requests\nare not finished yet and to not release the connection."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:42.311Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/09aeab68033161cb54f194da93e51a11aee6144b"
        },
        {
          "url": "https://git.kernel.org/stable/c/a4261bbc33fbf99b99c80aa3a2c5097611802980"
        },
        {
          "url": "https://git.kernel.org/stable/c/f17d1c63a76b0fe8e9c78023a86507a3a6d62cfa"
        },
        {
          "url": "https://git.kernel.org/stable/c/3aa660c059240e0c795217182cf7df32909dd917"
        }
      ],
      "title": "ksmbd: prevent connection release during oplock break notification",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21955",
    "datePublished": "2025-04-01T15:46:55.724Z",
    "dateReserved": "2024-12-29T08:45:45.790Z",
    "dateUpdated": "2025-05-04T07:25:42.311Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37811 (GCVE-0-2025-37811)

Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2025-11-03 19:55

Title

usb: chipidea: ci_hdrc_imx: fix usbmisc handling

Summary

In the Linux kernel, the following vulnerability has been resolved: usb: chipidea: ci_hdrc_imx: fix usbmisc handling usbmisc is an optional device property so it is totally valid for the corresponding data->usbmisc_data to have a NULL value. Check that before dereferencing the pointer. Found by Linux Verification Center (linuxtesting.org) with Svace static analysis tool.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/8060b719676e8c0e5…
	https://git.kernel.org/stable/c/0ee460498ced49196…
	https://git.kernel.org/stable/c/121e9f80ea5478bca…
	https://git.kernel.org/stable/c/887902ca73490f38c…
	https://git.kernel.org/stable/c/2aa87bd825377f507…
	https://git.kernel.org/stable/c/4e28f79e3dffa52d3…

Impacted products

Vendor

Product

Version

Linux

Affected: 3f46fefab962fc5dcfe4d53a7c2cdccd51ebdc6d , < 8060b719676e8c0e5a2222c2977ba0458d9d9535 (git)
Affected: 7ae96eba35036bdd47ecd956e882ff057a550405 , < 0ee460498ced49196149197c9f6d29a10e5e0798 (git)
Affected: dcd4de31bd01a7189c24e3cafe40649c9c42b9af , < 121e9f80ea5478bca3a8f3f26593fd66f87da649 (git)
Affected: 57797497a696cffaea421fc4e5a3ea2a8536b1a2 , < 887902ca73490f38c69fd6149ef361a041cf912f (git)
Affected: 74adad500346fb07d69af2c79acbff4adb061134 , < 2aa87bd825377f5073b76701780a902cd0fc725a (git)
Affected: 74adad500346fb07d69af2c79acbff4adb061134 , < 4e28f79e3dffa52d327b46d1a78dac16efb5810b (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.136 , ≤ 6.1.* (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:55:42.330Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/chipidea/ci_hdrc_imx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "8060b719676e8c0e5a2222c2977ba0458d9d9535",
              "status": "affected",
              "version": "3f46fefab962fc5dcfe4d53a7c2cdccd51ebdc6d",
              "versionType": "git"
            },
            {
              "lessThan": "0ee460498ced49196149197c9f6d29a10e5e0798",
              "status": "affected",
              "version": "7ae96eba35036bdd47ecd956e882ff057a550405",
              "versionType": "git"
            },
            {
              "lessThan": "121e9f80ea5478bca3a8f3f26593fd66f87da649",
              "status": "affected",
              "version": "dcd4de31bd01a7189c24e3cafe40649c9c42b9af",
              "versionType": "git"
            },
            {
              "lessThan": "887902ca73490f38c69fd6149ef361a041cf912f",
              "status": "affected",
              "version": "57797497a696cffaea421fc4e5a3ea2a8536b1a2",
              "versionType": "git"
            },
            {
              "lessThan": "2aa87bd825377f5073b76701780a902cd0fc725a",
              "status": "affected",
              "version": "74adad500346fb07d69af2c79acbff4adb061134",
              "versionType": "git"
            },
            {
              "lessThan": "4e28f79e3dffa52d327b46d1a78dac16efb5810b",
              "status": "affected",
              "version": "74adad500346fb07d69af2c79acbff4adb061134",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/usb/chipidea/ci_hdrc_imx.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "5.15.179",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "versionStartIncluding": "6.1.129",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "6.6.72",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "6.12.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: chipidea: ci_hdrc_imx: fix usbmisc handling\n\nusbmisc is an optional device property so it is totally valid for the\ncorresponding data-\u003eusbmisc_data to have a NULL value.\n\nCheck that before dereferencing the pointer.\n\nFound by Linux Verification Center (linuxtesting.org) with Svace static\nanalysis tool."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:22.215Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/8060b719676e8c0e5a2222c2977ba0458d9d9535"
        },
        {
          "url": "https://git.kernel.org/stable/c/0ee460498ced49196149197c9f6d29a10e5e0798"
        },
        {
          "url": "https://git.kernel.org/stable/c/121e9f80ea5478bca3a8f3f26593fd66f87da649"
        },
        {
          "url": "https://git.kernel.org/stable/c/887902ca73490f38c69fd6149ef361a041cf912f"
        },
        {
          "url": "https://git.kernel.org/stable/c/2aa87bd825377f5073b76701780a902cd0fc725a"
        },
        {
          "url": "https://git.kernel.org/stable/c/4e28f79e3dffa52d327b46d1a78dac16efb5810b"
        }
      ],
      "title": "usb: chipidea: ci_hdrc_imx: fix usbmisc handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37811",
    "datePublished": "2025-05-08T06:26:08.746Z",
    "dateReserved": "2025-04-16T04:51:23.942Z",
    "dateUpdated": "2025-11-03T19:55:42.330Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37833 (GCVE-0-2025-37833)

Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2025-05-26 05:21

Title

net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads

Summary

In the Linux kernel, the following vulnerability has been resolved: net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads Fix niu_try_msix() to not cause a fatal trap on sparc systems. Set PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST on the struct pci_dev to work around a bug in the hardware or firmware. For each vector entry in the msix table, niu chips will cause a fatal trap if any registers in that entry are read before that entries' ENTRY_DATA register is written to. Testing indicates writes to other registers are not sufficient to prevent the fatal trap, however the value does not appear to matter. This only needs to happen once after power up, so simply rebooting into a kernel lacking this fix will NOT cause the trap. NON-RESUMABLE ERROR: Reporting on cpu 64 NON-RESUMABLE ERROR: TPC [0x00000000005f6900] <msix_prepare_msi_desc+0x90/0xa0> NON-RESUMABLE ERROR: RAW [4010000000000016:00000e37f93e32ff:0000000202000080:ffffffffffffffff NON-RESUMABLE ERROR: 0000000800000000:0000000000000000:0000000000000000:0000000000000000] NON-RESUMABLE ERROR: handle [0x4010000000000016] stick [0x00000e37f93e32ff] NON-RESUMABLE ERROR: type [precise nonresumable] NON-RESUMABLE ERROR: attrs [0x02000080] < ASI sp-faulted priv > NON-RESUMABLE ERROR: raddr [0xffffffffffffffff] NON-RESUMABLE ERROR: insn effective address [0x000000c50020000c] NON-RESUMABLE ERROR: size [0x8] NON-RESUMABLE ERROR: asi [0x00] CPU: 64 UID: 0 PID: 745 Comm: kworker/64:1 Not tainted 6.11.5 #63 Workqueue: events work_for_cpu_fn TSTATE: 0000000011001602 TPC: 00000000005f6900 TNPC: 00000000005f6904 Y: 00000000 Not tainted TPC: <msix_prepare_msi_desc+0x90/0xa0> g0: 00000000000002e9 g1: 000000000000000c g2: 000000c50020000c g3: 0000000000000100 g4: ffff8000470307c0 g5: ffff800fec5be000 g6: ffff800047a08000 g7: 0000000000000000 o0: ffff800014feb000 o1: ffff800047a0b620 o2: 0000000000000011 o3: ffff800047a0b620 o4: 0000000000000080 o5: 0000000000000011 sp: ffff800047a0ad51 ret_pc: 00000000005f7128 RPC: <__pci_enable_msix_range+0x3cc/0x460> l0: 000000000000000d l1: 000000000000c01f l2: ffff800014feb0a8 l3: 0000000000000020 l4: 000000000000c000 l5: 0000000000000001 l6: 0000000020000000 l7: ffff800047a0b734 i0: ffff800014feb000 i1: ffff800047a0b730 i2: 0000000000000001 i3: 000000000000000d i4: 0000000000000000 i5: 0000000000000000 i6: ffff800047a0ae81 i7: 00000000101888b0 I7: <niu_try_msix.constprop.0+0xc0/0x130 [niu]> Call Trace: [<00000000101888b0>] niu_try_msix.constprop.0+0xc0/0x130 [niu] [<000000001018f840>] niu_get_invariants+0x183c/0x207c [niu] [<00000000101902fc>] niu_pci_init_one+0x27c/0x2fc [niu] [<00000000005ef3e4>] local_pci_probe+0x28/0x74 [<0000000000469240>] work_for_cpu_fn+0x8/0x1c [<000000000046b008>] process_scheduled_works+0x144/0x210 [<000000000046b518>] worker_thread+0x13c/0x1c0 [<00000000004710e0>] kthread+0xb8/0xc8 [<00000000004060c8>] ret_from_fork+0x1c/0x2c [<0000000000000000>] 0x0 Kernel panic - not syncing: Non-resumable error.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/c187aaa9e79b4b6d8…
	https://git.kernel.org/stable/c/64903e4849a71cf7f…
	https://git.kernel.org/stable/c/fbb429ddff5c8e479…

Impacted products

Vendor

Product

Version

Linux

Affected: 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f , < c187aaa9e79b4b6d86ac7ba941e579ad33df5538 (git)
Affected: 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f , < 64903e4849a71cf7f7c7e5d45225ccefc1280929 (git)
Affected: 7d5ec3d3612396dc6d4b76366d20ab9fc06f399f , < fbb429ddff5c8e479edcc7dde5a542c9295944e6 (git)
Affected: e6454fd429b0ba6513ac1de27a0bd6ccac021a40 (git)
Affected: 3590d16b47ac561a4f2504befe43def10ed1814c (git)
Affected: e1d5e8a561baaafed6e35d72a6ad53d248580d6c (git)
Affected: 3b570884c868c12e3184627ce4b4a167e9d6f018 (git)
Affected: 1866c8f6d43c3c6ffa2bfe086b65392b3a3fafb1 (git)
Affected: aa8092c1d1f142f797995d0448afb73a5148f4ae (git)
Affected: 6c971252f09040af40d20851cf4e14018e6710d9 (git)

Linux

Affected: 5.14
Unaffected: 0 , < 5.14 (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/sun/niu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "c187aaa9e79b4b6d86ac7ba941e579ad33df5538",
              "status": "affected",
              "version": "7d5ec3d3612396dc6d4b76366d20ab9fc06f399f",
              "versionType": "git"
            },
            {
              "lessThan": "64903e4849a71cf7f7c7e5d45225ccefc1280929",
              "status": "affected",
              "version": "7d5ec3d3612396dc6d4b76366d20ab9fc06f399f",
              "versionType": "git"
            },
            {
              "lessThan": "fbb429ddff5c8e479edcc7dde5a542c9295944e6",
              "status": "affected",
              "version": "7d5ec3d3612396dc6d4b76366d20ab9fc06f399f",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e6454fd429b0ba6513ac1de27a0bd6ccac021a40",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3590d16b47ac561a4f2504befe43def10ed1814c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "e1d5e8a561baaafed6e35d72a6ad53d248580d6c",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3b570884c868c12e3184627ce4b4a167e9d6f018",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1866c8f6d43c3c6ffa2bfe086b65392b3a3fafb1",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "aa8092c1d1f142f797995d0448afb73a5148f4ae",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "6c971252f09040af40d20851cf4e14018e6710d9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/sun/niu.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.14"
            },
            {
              "lessThan": "5.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "5.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.4.282",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.9.281",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.14.245",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.205",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.4.142",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.10.60",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "5.13.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads\n\nFix niu_try_msix() to not cause a fatal trap on sparc systems.\n\nSet PCI_DEV_FLAGS_MSIX_TOUCH_ENTRY_DATA_FIRST on the struct pci_dev to\nwork around a bug in the hardware or firmware.\n\nFor each vector entry in the msix table, niu chips will cause a fatal\ntrap if any registers in that entry are read before that entries\u0027\nENTRY_DATA register is written to. Testing indicates writes to other\nregisters are not sufficient to prevent the fatal trap, however the value\ndoes not appear to matter. This only needs to happen once after power up,\nso simply rebooting into a kernel lacking this fix will NOT cause the\ntrap.\n\nNON-RESUMABLE ERROR: Reporting on cpu 64\nNON-RESUMABLE ERROR: TPC [0x00000000005f6900] \u003cmsix_prepare_msi_desc+0x90/0xa0\u003e\nNON-RESUMABLE ERROR: RAW [4010000000000016:00000e37f93e32ff:0000000202000080:ffffffffffffffff\nNON-RESUMABLE ERROR:      0000000800000000:0000000000000000:0000000000000000:0000000000000000]\nNON-RESUMABLE ERROR: handle [0x4010000000000016] stick [0x00000e37f93e32ff]\nNON-RESUMABLE ERROR: type [precise nonresumable]\nNON-RESUMABLE ERROR: attrs [0x02000080] \u003c ASI sp-faulted priv \u003e\nNON-RESUMABLE ERROR: raddr [0xffffffffffffffff]\nNON-RESUMABLE ERROR: insn effective address [0x000000c50020000c]\nNON-RESUMABLE ERROR: size [0x8]\nNON-RESUMABLE ERROR: asi [0x00]\nCPU: 64 UID: 0 PID: 745 Comm: kworker/64:1 Not tainted 6.11.5 #63\nWorkqueue: events work_for_cpu_fn\nTSTATE: 0000000011001602 TPC: 00000000005f6900 TNPC: 00000000005f6904 Y: 00000000    Not tainted\nTPC: \u003cmsix_prepare_msi_desc+0x90/0xa0\u003e\ng0: 00000000000002e9 g1: 000000000000000c g2: 000000c50020000c g3: 0000000000000100\ng4: ffff8000470307c0 g5: ffff800fec5be000 g6: ffff800047a08000 g7: 0000000000000000\no0: ffff800014feb000 o1: ffff800047a0b620 o2: 0000000000000011 o3: ffff800047a0b620\no4: 0000000000000080 o5: 0000000000000011 sp: ffff800047a0ad51 ret_pc: 00000000005f7128\nRPC: \u003c__pci_enable_msix_range+0x3cc/0x460\u003e\nl0: 000000000000000d l1: 000000000000c01f l2: ffff800014feb0a8 l3: 0000000000000020\nl4: 000000000000c000 l5: 0000000000000001 l6: 0000000020000000 l7: ffff800047a0b734\ni0: ffff800014feb000 i1: ffff800047a0b730 i2: 0000000000000001 i3: 000000000000000d\ni4: 0000000000000000 i5: 0000000000000000 i6: ffff800047a0ae81 i7: 00000000101888b0\nI7: \u003cniu_try_msix.constprop.0+0xc0/0x130 [niu]\u003e\nCall Trace:\n[\u003c00000000101888b0\u003e] niu_try_msix.constprop.0+0xc0/0x130 [niu]\n[\u003c000000001018f840\u003e] niu_get_invariants+0x183c/0x207c [niu]\n[\u003c00000000101902fc\u003e] niu_pci_init_one+0x27c/0x2fc [niu]\n[\u003c00000000005ef3e4\u003e] local_pci_probe+0x28/0x74\n[\u003c0000000000469240\u003e] work_for_cpu_fn+0x8/0x1c\n[\u003c000000000046b008\u003e] process_scheduled_works+0x144/0x210\n[\u003c000000000046b518\u003e] worker_thread+0x13c/0x1c0\n[\u003c00000000004710e0\u003e] kthread+0xb8/0xc8\n[\u003c00000000004060c8\u003e] ret_from_fork+0x1c/0x2c\n[\u003c0000000000000000\u003e] 0x0\nKernel panic - not syncing: Non-resumable error."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:21:54.880Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/c187aaa9e79b4b6d86ac7ba941e579ad33df5538"
        },
        {
          "url": "https://git.kernel.org/stable/c/64903e4849a71cf7f7c7e5d45225ccefc1280929"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbb429ddff5c8e479edcc7dde5a542c9295944e6"
        }
      ],
      "title": "net/niu: Niu requires MSIX ENTRY_DATA fields touch before entry reads",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37833",
    "datePublished": "2025-05-08T06:26:23.821Z",
    "dateReserved": "2025-04-16T04:51:23.951Z",
    "dateUpdated": "2025-05-26T05:21:54.880Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22054 (GCVE-0-2025-22054)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-11-03 19:41

Title

arcnet: Add NULL check in com20020pci_probe()

Summary

In the Linux kernel, the following vulnerability has been resolved: arcnet: Add NULL check in com20020pci_probe() devm_kasprintf() returns NULL when memory allocation fails. Currently, com20020pci_probe() does not check for this case, which results in a NULL pointer dereference. Add NULL check after devm_kasprintf() to prevent this issue and ensure no resources are left allocated.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/661cf5d102949898c…
	https://git.kernel.org/stable/c/905a34dc1ad9a53a8…
	https://git.kernel.org/stable/c/ef8b29398ea6061ac…
	https://git.kernel.org/stable/c/be8a0decd0b59a52a…
	https://git.kernel.org/stable/c/ececf8eff6c25acc2…
	https://git.kernel.org/stable/c/ebebeb58d48e25525…
	https://git.kernel.org/stable/c/a654f31b33515d39b…
	https://git.kernel.org/stable/c/887226163504494ea…
	https://git.kernel.org/stable/c/fda8c491db2a90ff3…

Impacted products

Vendor

Product

Version

Linux

Affected: e38cd53421ed4e37fc99662a0f2a0c567993844f , < 661cf5d102949898c931e81fd4e1c773afcdeafa (git)
Affected: d54f5a5bc85afd01b0a00689b795e31db54adc15 , < 905a34dc1ad9a53a8aaaf8a759ea5dbaaa30418d (git)
Affected: 75c53a4c43295fb8b09edae45239790db9cc69c3 , < ef8b29398ea6061ac8257f3e45c9be45cc004ce2 (git)
Affected: 8d034da82563a526dbd7e9069bb3f6946403b72c , < be8a0decd0b59a52a07276f9ef3b33ef820b2179 (git)
Affected: 5106d7adb74bc6160806b45ffd2321b10ca14ee0 , < ececf8eff6c25acc239fa8f0fd837c76bc770547 (git)
Affected: 6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea , < ebebeb58d48e25525fa654f2c53a24713fe141c3 (git)
Affected: 6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea , < a654f31b33515d39bb56c75fd8b26bef025ced7e (git)
Affected: 6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea , < 887226163504494ea7e58033a97c2d2ab12e05d4 (git)
Affected: 6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea , < fda8c491db2a90ff3e6fbbae58e495b4ddddeca3 (git)
Affected: 2e4ad90b15a7341c2d96d2dc6df6d135d72256b6 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-22054",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T17:53:31.112674Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T17:53:34.158Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:35.650Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/arcnet/com20020-pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "661cf5d102949898c931e81fd4e1c773afcdeafa",
              "status": "affected",
              "version": "e38cd53421ed4e37fc99662a0f2a0c567993844f",
              "versionType": "git"
            },
            {
              "lessThan": "905a34dc1ad9a53a8aaaf8a759ea5dbaaa30418d",
              "status": "affected",
              "version": "d54f5a5bc85afd01b0a00689b795e31db54adc15",
              "versionType": "git"
            },
            {
              "lessThan": "ef8b29398ea6061ac8257f3e45c9be45cc004ce2",
              "status": "affected",
              "version": "75c53a4c43295fb8b09edae45239790db9cc69c3",
              "versionType": "git"
            },
            {
              "lessThan": "be8a0decd0b59a52a07276f9ef3b33ef820b2179",
              "status": "affected",
              "version": "8d034da82563a526dbd7e9069bb3f6946403b72c",
              "versionType": "git"
            },
            {
              "lessThan": "ececf8eff6c25acc239fa8f0fd837c76bc770547",
              "status": "affected",
              "version": "5106d7adb74bc6160806b45ffd2321b10ca14ee0",
              "versionType": "git"
            },
            {
              "lessThan": "ebebeb58d48e25525fa654f2c53a24713fe141c3",
              "status": "affected",
              "version": "6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea",
              "versionType": "git"
            },
            {
              "lessThan": "a654f31b33515d39bb56c75fd8b26bef025ced7e",
              "status": "affected",
              "version": "6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea",
              "versionType": "git"
            },
            {
              "lessThan": "887226163504494ea7e58033a97c2d2ab12e05d4",
              "status": "affected",
              "version": "6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea",
              "versionType": "git"
            },
            {
              "lessThan": "fda8c491db2a90ff3e6fbbae58e495b4ddddeca3",
              "status": "affected",
              "version": "6b17a597fc2f13aaaa0a2780eb7edb9ae7ac9aea",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "2e4ad90b15a7341c2d96d2dc6df6d135d72256b6",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/arcnet/com20020-pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "5.4.264",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "5.10.204",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.15.143",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "6.1.68",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "6.6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "4.19.302",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narcnet: Add NULL check in com20020pci_probe()\n\ndevm_kasprintf() returns NULL when memory allocation fails. Currently,\ncom20020pci_probe() does not check for this case, which results in a\nNULL pointer dereference.\n\nAdd NULL check after devm_kasprintf() to prevent this issue and ensure\nno resources are left allocated."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:27.985Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/661cf5d102949898c931e81fd4e1c773afcdeafa"
        },
        {
          "url": "https://git.kernel.org/stable/c/905a34dc1ad9a53a8aaaf8a759ea5dbaaa30418d"
        },
        {
          "url": "https://git.kernel.org/stable/c/ef8b29398ea6061ac8257f3e45c9be45cc004ce2"
        },
        {
          "url": "https://git.kernel.org/stable/c/be8a0decd0b59a52a07276f9ef3b33ef820b2179"
        },
        {
          "url": "https://git.kernel.org/stable/c/ececf8eff6c25acc239fa8f0fd837c76bc770547"
        },
        {
          "url": "https://git.kernel.org/stable/c/ebebeb58d48e25525fa654f2c53a24713fe141c3"
        },
        {
          "url": "https://git.kernel.org/stable/c/a654f31b33515d39bb56c75fd8b26bef025ced7e"
        },
        {
          "url": "https://git.kernel.org/stable/c/887226163504494ea7e58033a97c2d2ab12e05d4"
        },
        {
          "url": "https://git.kernel.org/stable/c/fda8c491db2a90ff3e6fbbae58e495b4ddddeca3"
        }
      ],
      "title": "arcnet: Add NULL check in com20020pci_probe()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22054",
    "datePublished": "2025-04-16T14:12:11.849Z",
    "dateReserved": "2024-12-29T08:45:45.811Z",
    "dateUpdated": "2025-11-03T19:41:35.650Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-49958 (GCVE-0-2024-49958)

Vulnerability from cvelistv5 – Published: 2024-10-21 18:02 – Updated: 2025-11-03 22:23

Title

ocfs2: reserve space for inline xattr before attaching reflink tree

Summary

In the Linux kernel, the following vulnerability has been resolved: ocfs2: reserve space for inline xattr before attaching reflink tree One of our customers reported a crash and a corrupted ocfs2 filesystem. The crash was due to the detection of corruption. Upon troubleshooting, the fsck -fn output showed the below corruption [EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record, but fsck believes the largest valid value is 227. Clamp the next record value? n The stat output from the debugfs.ocfs2 showed the following corruption where the "Next Free Rec:" had overshot the "Count:" in the root metadata block. Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856) FS Generation: 904309833 (0x35e6ac49) CRC32: 00000000 ECC: 0000 Type: Regular Attr: 0x0 Flags: Valid Dynamic Features: (0x16) HasXattr InlineXattr Refcounted Extended Attributes Block: 0 Extended Attributes Inline Size: 256 User: 0 (root) Group: 0 (root) Size: 281320357888 Links: 1 Clusters: 141738 ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024 atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024 mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024 dtime: 0x0 -- Wed Dec 31 17:00:00 1969 Refcount Block: 2777346 Last Extblk: 2886943 Orphan Slot: 0 Sub Alloc Slot: 0 Sub Alloc Bit: 14 Tree Depth: 1 Count: 227 Next Free Rec: 230 ## Offset Clusters Block# 0 0 2310 2776351 1 2310 2139 2777375 2 4449 1221 2778399 3 5670 731 2779423 4 6401 566 2780447 ....... .... ....... ....... .... ....... The issue was in the reflink workfow while reserving space for inline xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the time this function is called the reflink tree is already recreated at the destination inode from the source inode. At this point, this function reserves space for inline xattrs at the destination inode without even checking if there is space at the root metadata block. It simply reduces the l_count from 243 to 227 thereby making space of 256 bytes for inline xattr whereas the inode already has extents beyond this index (in this case up to 230), thereby causing corruption. The fix for this is to reserve space for inline metadata at the destination inode before the reflink tree gets recreated. The customer has verified the fix.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/5c9807c523b4fca81…
	https://git.kernel.org/stable/c/74364cb578dcc0b6c…
	https://git.kernel.org/stable/c/aac31d654a0a31cb0…
	https://git.kernel.org/stable/c/020f5c53c17f66c0a…
	https://git.kernel.org/stable/c/5c2072f02c0d75802…
	https://git.kernel.org/stable/c/637c00e06564a945e…
	https://git.kernel.org/stable/c/9f9a8f3ac65b4147f…
	https://git.kernel.org/stable/c/96ce4c3537114d169…
	https://git.kernel.org/stable/c/5ca60b86f57a4d964…

Impacted products

Vendor

Product

Version

Linux

Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < 5c9807c523b4fca81d3e8e864dabc8c806402121 (git)
Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < 74364cb578dcc0b6c9109519d19cbe5a56afac9a (git)
Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < aac31d654a0a31cb0d2fa36ae694f4e164a52707 (git)
Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < 020f5c53c17f66c0a8f2d37dad27ace301b8d8a1 (git)
Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < 5c2072f02c0d75802ec28ec703b7d43a0dd008b5 (git)
Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < 637c00e06564a945e9d0edb3d78d362d64935f9f (git)
Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < 9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9 (git)
Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < 96ce4c3537114d1698be635f5e36c62dc49df7a4 (git)
Affected: ef962df057aaafd714f5c22ba3de1be459571fdf , < 5ca60b86f57a4d9648f68418a725b3a7de2816b0 (git)
Affected: 3a32958d2ac96070c53d04bd8e013c97b260b5e6 (git)
Affected: 93f26306db89c9dc37885b76a1082e6d54d23b16 (git)
Affected: 26a849f49fb3347d126a0ed6611173f903374ef4 (git)
Affected: 1e7e4c9ae2a78a6791a2ca91a6a400f94855f01e (git)
Affected: 1926bf8ae44d80c9f50103f11fc4f17e2e2bf684 (git)

Linux

Affected: 3.11
Unaffected: 0 , < 3.11 (semver)
Unaffected: 4.19.323 , ≤ 4.19.* (semver)
Unaffected: 5.4.285 , ≤ 5.4.* (semver)
Unaffected: 5.10.227 , ≤ 5.10.* (semver)
Unaffected: 5.15.168 , ≤ 5.15.* (semver)
Unaffected: 6.1.113 , ≤ 6.1.* (semver)
Unaffected: 6.6.55 , ≤ 6.6.* (semver)
Unaffected: 6.10.14 , ≤ 6.10.* (semver)
Unaffected: 6.11.3 , ≤ 6.11.* (semver)
Unaffected: 6.12 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2024-49958",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2024-10-22T13:35:29.206736Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2024-10-22T13:38:48.118Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T22:23:38.186Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00002.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/01/msg00001.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/ocfs2/refcounttree.c",
            "fs/ocfs2/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "5c9807c523b4fca81d3e8e864dabc8c806402121",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "lessThan": "74364cb578dcc0b6c9109519d19cbe5a56afac9a",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "lessThan": "aac31d654a0a31cb0d2fa36ae694f4e164a52707",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "lessThan": "020f5c53c17f66c0a8f2d37dad27ace301b8d8a1",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "lessThan": "5c2072f02c0d75802ec28ec703b7d43a0dd008b5",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "lessThan": "637c00e06564a945e9d0edb3d78d362d64935f9f",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "lessThan": "9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "lessThan": "96ce4c3537114d1698be635f5e36c62dc49df7a4",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "lessThan": "5ca60b86f57a4d9648f68418a725b3a7de2816b0",
              "status": "affected",
              "version": "ef962df057aaafd714f5c22ba3de1be459571fdf",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "3a32958d2ac96070c53d04bd8e013c97b260b5e6",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "93f26306db89c9dc37885b76a1082e6d54d23b16",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "26a849f49fb3347d126a0ed6611173f903374ef4",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1e7e4c9ae2a78a6791a2ca91a6a400f94855f01e",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "1926bf8ae44d80c9f50103f11fc4f17e2e2bf684",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/ocfs2/refcounttree.c",
            "fs/ocfs2/xattr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.11"
            },
            {
              "lessThan": "3.11",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "4.19.*",
              "status": "unaffected",
              "version": "4.19.323",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.285",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.227",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.168",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.113",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.55",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.10.*",
              "status": "unaffected",
              "version": "6.10.14",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.11.*",
              "status": "unaffected",
              "version": "6.11.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.12",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "4.19.323",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.285",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.227",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.168",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.113",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.55",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.10.14",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.11.3",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12",
                  "versionStartIncluding": "3.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.0.87",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.2.49",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.4.54",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.9.11",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "3.10.2",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nocfs2: reserve space for inline xattr before attaching reflink tree\n\nOne of our customers reported a crash and a corrupted ocfs2 filesystem. \nThe crash was due to the detection of corruption.  Upon troubleshooting,\nthe fsck -fn output showed the below corruption\n\n[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,\nbut fsck believes the largest valid value is 227.  Clamp the next record value? n\n\nThe stat output from the debugfs.ocfs2 showed the following corruption\nwhere the \"Next Free Rec:\" had overshot the \"Count:\" in the root metadata\nblock.\n\n        Inode: 33080590   Mode: 0640   Generation: 2619713622 (0x9c25a856)\n        FS Generation: 904309833 (0x35e6ac49)\n        CRC32: 00000000   ECC: 0000\n        Type: Regular   Attr: 0x0   Flags: Valid\n        Dynamic Features: (0x16) HasXattr InlineXattr Refcounted\n        Extended Attributes Block: 0  Extended Attributes Inline Size: 256\n        User: 0 (root)   Group: 0 (root)   Size: 281320357888\n        Links: 1   Clusters: 141738\n        ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024\n        atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024\n        mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024\n        dtime: 0x0 -- Wed Dec 31 17:00:00 1969\n        Refcount Block: 2777346\n        Last Extblk: 2886943   Orphan Slot: 0\n        Sub Alloc Slot: 0   Sub Alloc Bit: 14\n        Tree Depth: 1   Count: 227   Next Free Rec: 230\n        ## Offset        Clusters       Block#\n        0  0             2310           2776351\n        1  2310          2139           2777375\n        2  4449          1221           2778399\n        3  5670          731            2779423\n        4  6401          566            2780447\n        .......          ....           .......\n        .......          ....           .......\n\nThe issue was in the reflink workfow while reserving space for inline\nxattr.  The problematic function is ocfs2_reflink_xattr_inline().  By the\ntime this function is called the reflink tree is already recreated at the\ndestination inode from the source inode.  At this point, this function\nreserves space for inline xattrs at the destination inode without even\nchecking if there is space at the root metadata block.  It simply reduces\nthe l_count from 243 to 227 thereby making space of 256 bytes for inline\nxattr whereas the inode already has extents beyond this index (in this\ncase up to 230), thereby causing corruption.\n\nThe fix for this is to reserve space for inline metadata at the destination\ninode before the reflink tree gets recreated. The customer has verified the\nfix."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T12:59:13.995Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/5c9807c523b4fca81d3e8e864dabc8c806402121"
        },
        {
          "url": "https://git.kernel.org/stable/c/74364cb578dcc0b6c9109519d19cbe5a56afac9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/aac31d654a0a31cb0d2fa36ae694f4e164a52707"
        },
        {
          "url": "https://git.kernel.org/stable/c/020f5c53c17f66c0a8f2d37dad27ace301b8d8a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/5c2072f02c0d75802ec28ec703b7d43a0dd008b5"
        },
        {
          "url": "https://git.kernel.org/stable/c/637c00e06564a945e9d0edb3d78d362d64935f9f"
        },
        {
          "url": "https://git.kernel.org/stable/c/9f9a8f3ac65b4147f1a7b6c05fad5192c0e3c3d9"
        },
        {
          "url": "https://git.kernel.org/stable/c/96ce4c3537114d1698be635f5e36c62dc49df7a4"
        },
        {
          "url": "https://git.kernel.org/stable/c/5ca60b86f57a4d9648f68418a725b3a7de2816b0"
        }
      ],
      "title": "ocfs2: reserve space for inline xattr before attaching reflink tree",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-49958",
    "datePublished": "2024-10-21T18:02:11.702Z",
    "dateReserved": "2024-10-21T12:17:06.048Z",
    "dateUpdated": "2025-11-03T22:23:38.186Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-58072 (GCVE-0-2024-58072)

Vulnerability from cvelistv5 – Published: 2025-03-06 15:54 – Updated: 2025-11-03 19:34

Title

wifi: rtlwifi: remove unused check_buddy_priv

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: remove unused check_buddy_priv Commit 2461c7d60f9f ("rtlwifi: Update header file") introduced a global list of private data structures. Later on, commit 26634c4b1868 ("rtlwifi Modify existing bits to match vendor version 2013.02.07") started adding the private data to that list at probe time and added a hook, check_buddy_priv to find the private data from a similar device. However, that function was never used. Besides, though there is a lock for that list, it is never used. And when the probe fails, the private data is never removed from the list. This would cause a second probe to access freed memory. Remove the unused hook, structures and members, which will prevent the potential race condition on the list and its corruption during a second probe when probe fails.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f801e754efa21bd61…
	https://git.kernel.org/stable/c/1b9cbd8a9ae68b320…
	https://git.kernel.org/stable/c/8e2fcc68fbaab3ad9…
	https://git.kernel.org/stable/c/1e39b0486cdb496cd…
	https://git.kernel.org/stable/c/465d01ef6962b82b1…
	https://git.kernel.org/stable/c/543e3e9f2e9e47ded…
	https://git.kernel.org/stable/c/006e803af7408c3fc…
	https://git.kernel.org/stable/c/2fdac64c3c35858aa…

Impacted products

Vendor

Product

Version

Linux

Affected: 26634c4b1868323f49f8cd24c3493b57819867fd , < f801e754efa21bd61b3cc15ec7565696165b272f (git)
Affected: 26634c4b1868323f49f8cd24c3493b57819867fd , < 1b9cbd8a9ae68b32099fbb03b2d5ffa0c5e0dcc9 (git)
Affected: 26634c4b1868323f49f8cd24c3493b57819867fd , < 8e2fcc68fbaab3ad9f5671fee2be0956134b740a (git)
Affected: 26634c4b1868323f49f8cd24c3493b57819867fd , < 1e39b0486cdb496cdfba3bc89886150e46acf6f4 (git)
Affected: 26634c4b1868323f49f8cd24c3493b57819867fd , < 465d01ef6962b82b1f0ad1f3e58b398dbd35c1c1 (git)
Affected: 26634c4b1868323f49f8cd24c3493b57819867fd , < 543e3e9f2e9e47ded774c74e680f28a0ca362aee (git)
Affected: 26634c4b1868323f49f8cd24c3493b57819867fd , < 006e803af7408c3fc815b0654fc5ab43d34f0154 (git)
Affected: 26634c4b1868323f49f8cd24c3493b57819867fd , < 2fdac64c3c35858aa8ac5caa70b232e03456e120 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:34:08.754Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/base.c",
            "drivers/net/wireless/realtek/rtlwifi/base.h",
            "drivers/net/wireless/realtek/rtlwifi/pci.c",
            "drivers/net/wireless/realtek/rtlwifi/wifi.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f801e754efa21bd61b3cc15ec7565696165b272f",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "1b9cbd8a9ae68b32099fbb03b2d5ffa0c5e0dcc9",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "8e2fcc68fbaab3ad9f5671fee2be0956134b740a",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "1e39b0486cdb496cdfba3bc89886150e46acf6f4",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "465d01ef6962b82b1f0ad1f3e58b398dbd35c1c1",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "543e3e9f2e9e47ded774c74e680f28a0ca362aee",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "006e803af7408c3fc815b0654fc5ab43d34f0154",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            },
            {
              "lessThan": "2fdac64c3c35858aa8ac5caa70b232e03456e120",
              "status": "affected",
              "version": "26634c4b1868323f49f8cd24c3493b57819867fd",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/base.c",
            "drivers/net/wireless/realtek/rtlwifi/base.h",
            "drivers/net/wireless/realtek/rtlwifi/pci.c",
            "drivers/net/wireless/realtek/rtlwifi/wifi.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: remove unused check_buddy_priv\n\nCommit 2461c7d60f9f (\"rtlwifi: Update header file\") introduced a global\nlist of private data structures.\n\nLater on, commit 26634c4b1868 (\"rtlwifi Modify existing bits to match\nvendor version 2013.02.07\") started adding the private data to that list at\nprobe time and added a hook, check_buddy_priv to find the private data from\na similar device.\n\nHowever, that function was never used.\n\nBesides, though there is a lock for that list, it is never used. And when\nthe probe fails, the private data is never removed from the list. This\nwould cause a second probe to access freed memory.\n\nRemove the unused hook, structures and members, which will prevent the\npotential race condition on the list and its corruption during a second\nprobe when probe fails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:20.322Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f801e754efa21bd61b3cc15ec7565696165b272f"
        },
        {
          "url": "https://git.kernel.org/stable/c/1b9cbd8a9ae68b32099fbb03b2d5ffa0c5e0dcc9"
        },
        {
          "url": "https://git.kernel.org/stable/c/8e2fcc68fbaab3ad9f5671fee2be0956134b740a"
        },
        {
          "url": "https://git.kernel.org/stable/c/1e39b0486cdb496cdfba3bc89886150e46acf6f4"
        },
        {
          "url": "https://git.kernel.org/stable/c/465d01ef6962b82b1f0ad1f3e58b398dbd35c1c1"
        },
        {
          "url": "https://git.kernel.org/stable/c/543e3e9f2e9e47ded774c74e680f28a0ca362aee"
        },
        {
          "url": "https://git.kernel.org/stable/c/006e803af7408c3fc815b0654fc5ab43d34f0154"
        },
        {
          "url": "https://git.kernel.org/stable/c/2fdac64c3c35858aa8ac5caa70b232e03456e120"
        }
      ],
      "title": "wifi: rtlwifi: remove unused check_buddy_priv",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58072",
    "datePublished": "2025-03-06T15:54:11.665Z",
    "dateReserved": "2025-03-06T15:52:09.182Z",
    "dateUpdated": "2025-11-03T19:34:08.754Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21963 (GCVE-0-2025-21963)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:46 – Updated: 2025-11-03 19:40

Title

cifs: Fix integer overflow while processing acdirmax mount option

Summary

In the Linux kernel, the following vulnerability has been resolved: cifs: Fix integer overflow while processing acdirmax mount option User-provided mount parameter acdirmax of type u32 is intended to have an upper limit, but before it is validated, the value is converted from seconds to jiffies which can lead to an integer overflow. Found by Linux Verification Center (linuxtesting.org) with SVACE.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-190 - Integer Overflow or Wraparound

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/0c26edf477e093cef…
	https://git.kernel.org/stable/c/39d086bb3558da964…
	https://git.kernel.org/stable/c/9e438d0410a4002d2…
	https://git.kernel.org/stable/c/2809a79bc64964ce0…
	https://git.kernel.org/stable/c/6124cbf73e3dea759…
	https://git.kernel.org/stable/c/5b29891f91dfb8758…

Impacted products

Vendor

Product

Version

Linux

Affected: 4c9f948142a550af416a2bfb5e56d29ce29e92cf , < 0c26edf477e093cefc41637f5bccc102e1a77399 (git)
Affected: 4c9f948142a550af416a2bfb5e56d29ce29e92cf , < 39d086bb3558da9640ef335f97453e01d32578a1 (git)
Affected: 4c9f948142a550af416a2bfb5e56d29ce29e92cf , < 9e438d0410a4002d24f420f2c28897ba2dc0af64 (git)
Affected: 4c9f948142a550af416a2bfb5e56d29ce29e92cf , < 2809a79bc64964ce02e0c5f2d6bd39b9d09bdb3c (git)
Affected: 4c9f948142a550af416a2bfb5e56d29ce29e92cf , < 6124cbf73e3dea7591857dd63b8ccece28952afd (git)
Affected: 4c9f948142a550af416a2bfb5e56d29ce29e92cf , < 5b29891f91dfb8758baf1e2217bef4b16b2b165b (git)

Linux

Affected: 5.12
Unaffected: 0 , < 5.12 (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.132 , ≤ 6.1.* (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21963",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:21:03.805381Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-190",
                "description": "CWE-190 Integer Overflow or Wraparound",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:32.336Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:40:05.668Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "0c26edf477e093cefc41637f5bccc102e1a77399",
              "status": "affected",
              "version": "4c9f948142a550af416a2bfb5e56d29ce29e92cf",
              "versionType": "git"
            },
            {
              "lessThan": "39d086bb3558da9640ef335f97453e01d32578a1",
              "status": "affected",
              "version": "4c9f948142a550af416a2bfb5e56d29ce29e92cf",
              "versionType": "git"
            },
            {
              "lessThan": "9e438d0410a4002d24f420f2c28897ba2dc0af64",
              "status": "affected",
              "version": "4c9f948142a550af416a2bfb5e56d29ce29e92cf",
              "versionType": "git"
            },
            {
              "lessThan": "2809a79bc64964ce02e0c5f2d6bd39b9d09bdb3c",
              "status": "affected",
              "version": "4c9f948142a550af416a2bfb5e56d29ce29e92cf",
              "versionType": "git"
            },
            {
              "lessThan": "6124cbf73e3dea7591857dd63b8ccece28952afd",
              "status": "affected",
              "version": "4c9f948142a550af416a2bfb5e56d29ce29e92cf",
              "versionType": "git"
            },
            {
              "lessThan": "5b29891f91dfb8758baf1e2217bef4b16b2b165b",
              "status": "affected",
              "version": "4c9f948142a550af416a2bfb5e56d29ce29e92cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/client/fs_context.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.12"
            },
            {
              "lessThan": "5.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.132",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.132",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncifs: Fix integer overflow while processing acdirmax mount option\n\nUser-provided mount parameter acdirmax of type u32 is intended to have\nan upper limit, but before it is validated, the value is converted from\nseconds to jiffies which can lead to an integer overflow.\n\nFound by Linux Verification Center (linuxtesting.org) with SVACE."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:52.714Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/0c26edf477e093cefc41637f5bccc102e1a77399"
        },
        {
          "url": "https://git.kernel.org/stable/c/39d086bb3558da9640ef335f97453e01d32578a1"
        },
        {
          "url": "https://git.kernel.org/stable/c/9e438d0410a4002d24f420f2c28897ba2dc0af64"
        },
        {
          "url": "https://git.kernel.org/stable/c/2809a79bc64964ce02e0c5f2d6bd39b9d09bdb3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/6124cbf73e3dea7591857dd63b8ccece28952afd"
        },
        {
          "url": "https://git.kernel.org/stable/c/5b29891f91dfb8758baf1e2217bef4b16b2b165b"
        }
      ],
      "title": "cifs: Fix integer overflow while processing acdirmax mount option",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21963",
    "datePublished": "2025-04-01T15:46:59.773Z",
    "dateReserved": "2024-12-29T08:45:45.795Z",
    "dateUpdated": "2025-11-03T19:40:05.668Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22017 (GCVE-0-2025-22017)

Vulnerability from cvelistv5 – Published: 2025-04-08 08:18 – Updated: 2025-05-04 07:27

Title

devlink: fix xa_alloc_cyclic() error handling

Summary

In the Linux kernel, the following vulnerability has been resolved: devlink: fix xa_alloc_cyclic() error handling In case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will be returned, which will cause IS_ERR() to be false. Which can lead to dereference not allocated pointer (rel). Fix it by checking if err is lower than zero. This wasn't found in real usecase, only noticed. Credit to Pierre.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f8aaa38cfaf6f20af…
	https://git.kernel.org/stable/c/466132f6d28a7e47a…
	https://git.kernel.org/stable/c/f3b97b7d4bf316c39…

Impacted products

Vendor

Product

Version

Linux

Affected: c137743bce02b18c1537d4681aa515f7b80bf0a8 , < f8aaa38cfaf6f20afa4db36b6529032fb69165dc (git)
Affected: c137743bce02b18c1537d4681aa515f7b80bf0a8 , < 466132f6d28a7e47a82501fe1c46b8f90487412e (git)
Affected: c137743bce02b18c1537d4681aa515f7b80bf0a8 , < f3b97b7d4bf316c3991e5634c9f4847c2df35478 (git)

Linux

Affected: 6.7
Unaffected: 0 , < 6.7 (semver)
Unaffected: 6.12.21 , ≤ 6.12.* (semver)
Unaffected: 6.13.9 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/devlink/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f8aaa38cfaf6f20afa4db36b6529032fb69165dc",
              "status": "affected",
              "version": "c137743bce02b18c1537d4681aa515f7b80bf0a8",
              "versionType": "git"
            },
            {
              "lessThan": "466132f6d28a7e47a82501fe1c46b8f90487412e",
              "status": "affected",
              "version": "c137743bce02b18c1537d4681aa515f7b80bf0a8",
              "versionType": "git"
            },
            {
              "lessThan": "f3b97b7d4bf316c3991e5634c9f4847c2df35478",
              "status": "affected",
              "version": "c137743bce02b18c1537d4681aa515f7b80bf0a8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/devlink/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.7"
            },
            {
              "lessThan": "6.7",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.21",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.9",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.21",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.9",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndevlink: fix xa_alloc_cyclic() error handling\n\nIn case of returning 1 from xa_alloc_cyclic() (wrapping) ERR_PTR(1) will\nbe returned, which will cause IS_ERR() to be false. Which can lead to\ndereference not allocated pointer (rel).\n\nFix it by checking if err is lower than zero.\n\nThis wasn\u0027t found in real usecase, only noticed. Credit to Pierre."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:27:47.122Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f8aaa38cfaf6f20afa4db36b6529032fb69165dc"
        },
        {
          "url": "https://git.kernel.org/stable/c/466132f6d28a7e47a82501fe1c46b8f90487412e"
        },
        {
          "url": "https://git.kernel.org/stable/c/f3b97b7d4bf316c3991e5634c9f4847c2df35478"
        }
      ],
      "title": "devlink: fix xa_alloc_cyclic() error handling",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22017",
    "datePublished": "2025-04-08T08:18:06.575Z",
    "dateReserved": "2024-12-29T08:45:45.806Z",
    "dateUpdated": "2025-05-04T07:27:47.122Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37780 (GCVE-0-2025-37780)

Vulnerability from cvelistv5 – Published: 2025-05-01 13:07 – Updated: 2025-11-03 19:54

Title

isofs: Prevent the use of too small fid

Summary

In the Linux kernel, the following vulnerability has been resolved: isofs: Prevent the use of too small fid syzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1] The handle_bytes value passed in by the reproducing program is equal to 12. In handle_to_path(), only 12 bytes of memory are allocated for the structure file_handle->f_handle member, which causes an out-of-bounds access when accessing the member parent_block of the structure isofs_fid in isofs, because accessing parent_block requires at least 16 bytes of f_handle. Here, fh_len is used to indirectly confirm that the value of handle_bytes is greater than 3 before accessing parent_block. [1] BUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 Read of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466 CPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025 Call trace: show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C) __dump_stack lib/dump_stack.c:94 [inline] dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:408 [inline] print_report+0x198/0x550 mm/kasan/report.c:521 kasan_report+0xd8/0x138 mm/kasan/report.c:634 __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380 isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183 exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523 do_handle_to_path+0xa0/0x198 fs/fhandle.c:257 handle_to_path fs/fhandle.c:385 [inline] do_handle_open+0x8cc/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600 Allocated by task 6466: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x40/0x78 mm/kasan/common.c:68 kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562 poison_kmalloc_redzone mm/kasan/common.c:377 [inline] __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394 kasan_kmalloc include/linux/kasan.h:260 [inline] __do_kmalloc_node mm/slub.c:4294 [inline] __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306 kmalloc_noprof include/linux/slab.h:905 [inline] handle_to_path fs/fhandle.c:357 [inline] do_handle_open+0x5a4/0xb8c fs/fhandle.c:403 __do_sys_open_by_handle_at fs/fhandle.c:443 [inline] __se_sys_open_by_handle_at fs/fhandle.c:434 [inline] __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434 __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline] invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49 el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132 do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151 el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744 el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762 el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ee01a309ebf598be1…
	https://git.kernel.org/stable/c/5e7de55602c61c8ff…
	https://git.kernel.org/stable/c/63d5a3e207bf315a3…
	https://git.kernel.org/stable/c/0fdafdaef796816a9…
	https://git.kernel.org/stable/c/952e7a7e317f126d0…
	https://git.kernel.org/stable/c/56dfffea9fd3be0b3…
	https://git.kernel.org/stable/c/007124c896e7d4614…
	https://git.kernel.org/stable/c/0405d4b63d082861f…

Impacted products

Vendor

Product

Version

Linux

Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < ee01a309ebf598be1ff8174901ed6e91619f1749 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 5e7de55602c61c8ff28db075cc49c8dd6989d7e0 (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 63d5a3e207bf315a32c7d16de6c89753a759f95a (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0fdafdaef796816a9ed0fd7ac812932d569d9beb (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 952e7a7e317f126d0a2b879fc531b716932d5ffa (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 56dfffea9fd3be0b3795a9ca6401e133a8427e0b (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 007124c896e7d4614ac1f6bd4dedb975c35a2a8e (git)
Affected: 1da177e4c3f41524e886b7f1b8a0c1fc7321cac2 , < 0405d4b63d082861f4eaff9d39c78ee9dc34f845 (git)

Linux

Affected: 2.6.12
Unaffected: 0 , < 2.6.12 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:54:58.221Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/isofs/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ee01a309ebf598be1ff8174901ed6e91619f1749",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "5e7de55602c61c8ff28db075cc49c8dd6989d7e0",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "63d5a3e207bf315a32c7d16de6c89753a759f95a",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0fdafdaef796816a9ed0fd7ac812932d569d9beb",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "952e7a7e317f126d0a2b879fc531b716932d5ffa",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "56dfffea9fd3be0b3795a9ca6401e133a8427e0b",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "007124c896e7d4614ac1f6bd4dedb975c35a2a8e",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            },
            {
              "lessThan": "0405d4b63d082861f4eaff9d39c78ee9dc34f845",
              "status": "affected",
              "version": "1da177e4c3f41524e886b7f1b8a0c1fc7321cac2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/isofs/export.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.12"
            },
            {
              "lessThan": "2.6.12",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.12",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nisofs: Prevent the use of too small fid\n\nsyzbot reported a slab-out-of-bounds Read in isofs_fh_to_parent. [1]\n\nThe handle_bytes value passed in by the reproducing program is equal to 12.\nIn handle_to_path(), only 12 bytes of memory are allocated for the structure\nfile_handle-\u003ef_handle member, which causes an out-of-bounds access when\naccessing the member parent_block of the structure isofs_fid in isofs,\nbecause accessing parent_block requires at least 16 bytes of f_handle.\nHere, fh_len is used to indirectly confirm that the value of handle_bytes\nis greater than 3 before accessing parent_block.\n\n[1]\nBUG: KASAN: slab-out-of-bounds in isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183\nRead of size 4 at addr ffff0000cc030d94 by task syz-executor215/6466\nCPU: 1 UID: 0 PID: 6466 Comm: syz-executor215 Not tainted 6.14.0-rc7-syzkaller-ga2392f333575 #0\nHardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2025\nCall trace:\n show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:466 (C)\n __dump_stack lib/dump_stack.c:94 [inline]\n dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:120\n print_address_description mm/kasan/report.c:408 [inline]\n print_report+0x198/0x550 mm/kasan/report.c:521\n kasan_report+0xd8/0x138 mm/kasan/report.c:634\n __asan_report_load4_noabort+0x20/0x2c mm/kasan/report_generic.c:380\n isofs_fh_to_parent+0x1b8/0x210 fs/isofs/export.c:183\n exportfs_decode_fh_raw+0x2dc/0x608 fs/exportfs/expfs.c:523\n do_handle_to_path+0xa0/0x198 fs/fhandle.c:257\n handle_to_path fs/fhandle.c:385 [inline]\n do_handle_open+0x8cc/0xb8c fs/fhandle.c:403\n __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]\n __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]\n __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600\n\nAllocated by task 6466:\n kasan_save_stack mm/kasan/common.c:47 [inline]\n kasan_save_track+0x40/0x78 mm/kasan/common.c:68\n kasan_save_alloc_info+0x40/0x50 mm/kasan/generic.c:562\n poison_kmalloc_redzone mm/kasan/common.c:377 [inline]\n __kasan_kmalloc+0xac/0xc4 mm/kasan/common.c:394\n kasan_kmalloc include/linux/kasan.h:260 [inline]\n __do_kmalloc_node mm/slub.c:4294 [inline]\n __kmalloc_noprof+0x32c/0x54c mm/slub.c:4306\n kmalloc_noprof include/linux/slab.h:905 [inline]\n handle_to_path fs/fhandle.c:357 [inline]\n do_handle_open+0x5a4/0xb8c fs/fhandle.c:403\n __do_sys_open_by_handle_at fs/fhandle.c:443 [inline]\n __se_sys_open_by_handle_at fs/fhandle.c:434 [inline]\n __arm64_sys_open_by_handle_at+0x80/0x94 fs/fhandle.c:434\n __invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]\n invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49\n el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132\n do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151\n el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:744\n el0t_64_sync_handler+0x84/0x108 arch/arm64/kernel/entry-common.c:762\n el0t_64_sync+0x198/0x19c arch/arm64/kernel/entry.S:600"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:43.848Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ee01a309ebf598be1ff8174901ed6e91619f1749"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e7de55602c61c8ff28db075cc49c8dd6989d7e0"
        },
        {
          "url": "https://git.kernel.org/stable/c/63d5a3e207bf315a32c7d16de6c89753a759f95a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0fdafdaef796816a9ed0fd7ac812932d569d9beb"
        },
        {
          "url": "https://git.kernel.org/stable/c/952e7a7e317f126d0a2b879fc531b716932d5ffa"
        },
        {
          "url": "https://git.kernel.org/stable/c/56dfffea9fd3be0b3795a9ca6401e133a8427e0b"
        },
        {
          "url": "https://git.kernel.org/stable/c/007124c896e7d4614ac1f6bd4dedb975c35a2a8e"
        },
        {
          "url": "https://git.kernel.org/stable/c/0405d4b63d082861f4eaff9d39c78ee9dc34f845"
        }
      ],
      "title": "isofs: Prevent the use of too small fid",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37780",
    "datePublished": "2025-05-01T13:07:17.748Z",
    "dateReserved": "2025-04-16T04:51:23.940Z",
    "dateUpdated": "2025-11-03T19:54:58.221Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37883 (GCVE-0-2025-37883)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:45 – Updated: 2026-01-02 15:29

Title

s390/sclp: Add check for get_zeroed_page()

Summary

In the Linux kernel, the following vulnerability has been resolved: s390/sclp: Add check for get_zeroed_page() Add check for the return value of get_zeroed_page() in sclp_console_init() to prevent null pointer dereference. Furthermore, to solve the memory leak caused by the loop allocation, add a free helper to do the free job.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/e1e00dc45648125ef…
	https://git.kernel.org/stable/c/397254706eba9d8f9…
	https://git.kernel.org/stable/c/28e5a867aa542e369…
	https://git.kernel.org/stable/c/3b3aa72636a620593…
	https://git.kernel.org/stable/c/f69f8a93aacf6e99a…
	https://git.kernel.org/stable/c/3db42c75a921854a9…

Impacted products

Vendor

Product

Version

Linux

Affected: 4c8f4794b61e89dd68f96cfc23a9d9b6c25be420 , < e1e00dc45648125ef7cb87ebc3b581ac224e7b39 (git)
Affected: 4c8f4794b61e89dd68f96cfc23a9d9b6c25be420 , < 397254706eba9d8f99fd237feede7ab3169a7f9a (git)
Affected: 4c8f4794b61e89dd68f96cfc23a9d9b6c25be420 , < 28e5a867aa542e369e211c2baba7044228809a99 (git)
Affected: 4c8f4794b61e89dd68f96cfc23a9d9b6c25be420 , < 3b3aa72636a6205933609ec274a8747720c1ee3f (git)
Affected: 4c8f4794b61e89dd68f96cfc23a9d9b6c25be420 , < f69f8a93aacf6e99af7b1cc992d8ca2cc07b96fb (git)
Affected: 4c8f4794b61e89dd68f96cfc23a9d9b6c25be420 , < 3db42c75a921854a99db0a2775814fef97415bac (git)

Linux

Affected: 2.6.31
Unaffected: 0 , < 2.6.31 (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.136 , ≤ 6.1.* (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:55.267Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/s390/char/sclp_con.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "e1e00dc45648125ef7cb87ebc3b581ac224e7b39",
              "status": "affected",
              "version": "4c8f4794b61e89dd68f96cfc23a9d9b6c25be420",
              "versionType": "git"
            },
            {
              "lessThan": "397254706eba9d8f99fd237feede7ab3169a7f9a",
              "status": "affected",
              "version": "4c8f4794b61e89dd68f96cfc23a9d9b6c25be420",
              "versionType": "git"
            },
            {
              "lessThan": "28e5a867aa542e369e211c2baba7044228809a99",
              "status": "affected",
              "version": "4c8f4794b61e89dd68f96cfc23a9d9b6c25be420",
              "versionType": "git"
            },
            {
              "lessThan": "3b3aa72636a6205933609ec274a8747720c1ee3f",
              "status": "affected",
              "version": "4c8f4794b61e89dd68f96cfc23a9d9b6c25be420",
              "versionType": "git"
            },
            {
              "lessThan": "f69f8a93aacf6e99af7b1cc992d8ca2cc07b96fb",
              "status": "affected",
              "version": "4c8f4794b61e89dd68f96cfc23a9d9b6c25be420",
              "versionType": "git"
            },
            {
              "lessThan": "3db42c75a921854a99db0a2775814fef97415bac",
              "status": "affected",
              "version": "4c8f4794b61e89dd68f96cfc23a9d9b6c25be420",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/s390/char/sclp_con.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.31"
            },
            {
              "lessThan": "2.6.31",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.136",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.136",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.31",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ns390/sclp: Add check for get_zeroed_page()\n\nAdd check for the return value of get_zeroed_page() in\nsclp_console_init() to prevent null pointer dereference.\nFurthermore, to solve the memory leak caused by the loop\nallocation, add a free helper to do the free job."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:30.609Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/e1e00dc45648125ef7cb87ebc3b581ac224e7b39"
        },
        {
          "url": "https://git.kernel.org/stable/c/397254706eba9d8f99fd237feede7ab3169a7f9a"
        },
        {
          "url": "https://git.kernel.org/stable/c/28e5a867aa542e369e211c2baba7044228809a99"
        },
        {
          "url": "https://git.kernel.org/stable/c/3b3aa72636a6205933609ec274a8747720c1ee3f"
        },
        {
          "url": "https://git.kernel.org/stable/c/f69f8a93aacf6e99af7b1cc992d8ca2cc07b96fb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3db42c75a921854a99db0a2775814fef97415bac"
        }
      ],
      "title": "s390/sclp: Add check for get_zeroed_page()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37883",
    "datePublished": "2025-05-09T06:45:46.716Z",
    "dateReserved": "2025-04-16T04:51:23.962Z",
    "dateUpdated": "2026-01-02T15:29:30.609Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37840 (GCVE-0-2025-37840)

Vulnerability from cvelistv5 – Published: 2025-05-09 06:41 – Updated: 2025-11-03 19:56

Title

mtd: rawnand: brcmnand: fix PM resume warning

Summary

In the Linux kernel, the following vulnerability has been resolved: mtd: rawnand: brcmnand: fix PM resume warning Fixed warning on PM resume as shown below caused due to uninitialized struct nand_operation that checks chip select field : WARN_ON(op->cs >= nanddev_ntargets(&chip->base) [ 14.588522] ------------[ cut here ]------------ [ 14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8 [ 14.588553] Modules linked in: bdc udc_core [ 14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G W 6.14.0-rc4-g5394eea10651 #16 [ 14.588590] Tainted: [W]=WARN [ 14.588593] Hardware name: Broadcom STB (Flattened Device Tree) [ 14.588598] Call trace: [ 14.588604] dump_backtrace from show_stack+0x18/0x1c [ 14.588622] r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c [ 14.588625] show_stack from dump_stack_lvl+0x70/0x7c [ 14.588639] dump_stack_lvl from dump_stack+0x18/0x1c [ 14.588653] r5:c08d40b0 r4:c1003cb0 [ 14.588656] dump_stack from __warn+0x84/0xe4 [ 14.588668] __warn from warn_slowpath_fmt+0x18c/0x194 [ 14.588678] r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000 [ 14.588681] warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8 [ 14.588695] r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048 [ 14.588697] nand_reset_op from brcmnand_resume+0x13c/0x150 [ 14.588714] r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040 [ 14.588717] brcmnand_resume from platform_pm_resume+0x34/0x54 [ 14.588735] r5:00000010 r4:c0840a50 [ 14.588738] platform_pm_resume from dpm_run_callback+0x5c/0x14c [ 14.588757] dpm_run_callback from device_resume+0xc0/0x324 [ 14.588776] r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010 [ 14.588779] device_resume from dpm_resume+0x130/0x160 [ 14.588799] r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0 [ 14.588802] dpm_resume from dpm_resume_end+0x14/0x20 [ 14.588822] r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414 [ 14.588826] r4:00000010 [ 14.588828] dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8 [ 14.588848] r5:c228a414 r4:00000000 [ 14.588851] suspend_devices_and_enter from pm_suspend+0x228/0x2bc [ 14.588868] r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000 [ 14.588871] r4:00000003 [ 14.588874] pm_suspend from state_store+0x74/0xd0 [ 14.588889] r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003 [ 14.588892] state_store from kobj_attr_store+0x1c/0x28 [ 14.588913] r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250 [ 14.588916] kobj_attr_store from sysfs_kf_write+0x40/0x4c [ 14.588936] r5:c3502900 r4:c0d92a48 [ 14.588939] sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0 [ 14.588956] r5:c3502900 r4:c3501f40 [ 14.588960] kernfs_fop_write_iter from vfs_write+0x250/0x420 [ 14.588980] r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00 [ 14.588983] r4:c042a88c [ 14.588987] vfs_write from ksys_write+0x74/0xe4 [ 14.589005] r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00 [ 14.589008] r4:c34f7f00 [ 14.589011] ksys_write from sys_write+0x10/0x14 [ 14.589029] r7:00000004 r6:004421c0 r5:00443398 r4:00000004 [ 14.589032] sys_write from ret_fast_syscall+0x0/0x5c [ 14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0) [ 14.589050] 9fa0: 00000004 00443398 00000004 00443398 00000004 00000001 [ 14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78 [ 14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8 [ 14.589065] ---[ end trace 0000000000000000 ]--- The fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when doing PM resume operation in compliance with the controller support for single die nand chip. Switching from nand_reset_op() to nan ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6f567c6a5250e3531…
	https://git.kernel.org/stable/c/8775581e1c48e1bdd…
	https://git.kernel.org/stable/c/fbcb584efa5cd912f…
	https://git.kernel.org/stable/c/9dd161f707ecb7db3…
	https://git.kernel.org/stable/c/9bd51723ab51580e0…
	https://git.kernel.org/stable/c/7266066b9469f04ed…
	https://git.kernel.org/stable/c/c2eb3cffb0d972c55…
	https://git.kernel.org/stable/c/659b1f29f3e2fd5d7…
	https://git.kernel.org/stable/c/ddc210cf8b8a8be68…

Impacted products

Vendor

Product

Version

Linux

Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < 6f567c6a5250e3531cfd9c7ff254ecc2650464fa (git)
Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < 8775581e1c48e1bdd04a893d6f6bbe5128ad0ea7 (git)
Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < fbcb584efa5cd912ff8a151d67b8fe22f4162a85 (git)
Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < 9dd161f707ecb7db38e5f529e979a5b6eb565b2d (git)
Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < 9bd51723ab51580e077c91d494c37e80703b8524 (git)
Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < 7266066b9469f04ed1d4c0fdddaea1425835eb55 (git)
Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < c2eb3cffb0d972c5503e4d48921971c81def0fe5 (git)
Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < 659b1f29f3e2fd5d751fdf35c5526d1f1c9b3dd2 (git)
Affected: 97d90da8a886949f09bb4754843fb0b504956ad2 , < ddc210cf8b8a8be68051ad958bf3e2cef6b681c2 (git)

Linux

Affected: 4.16
Unaffected: 0 , < 4.16 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:56:15.093Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/nand/raw/brcmnand/brcmnand.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6f567c6a5250e3531cfd9c7ff254ecc2650464fa",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            },
            {
              "lessThan": "8775581e1c48e1bdd04a893d6f6bbe5128ad0ea7",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            },
            {
              "lessThan": "fbcb584efa5cd912ff8a151d67b8fe22f4162a85",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            },
            {
              "lessThan": "9dd161f707ecb7db38e5f529e979a5b6eb565b2d",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            },
            {
              "lessThan": "9bd51723ab51580e077c91d494c37e80703b8524",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            },
            {
              "lessThan": "7266066b9469f04ed1d4c0fdddaea1425835eb55",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            },
            {
              "lessThan": "c2eb3cffb0d972c5503e4d48921971c81def0fe5",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            },
            {
              "lessThan": "659b1f29f3e2fd5d751fdf35c5526d1f1c9b3dd2",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            },
            {
              "lessThan": "ddc210cf8b8a8be68051ad958bf3e2cef6b681c2",
              "status": "affected",
              "version": "97d90da8a886949f09bb4754843fb0b504956ad2",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/nand/raw/brcmnand/brcmnand.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.16"
            },
            {
              "lessThan": "4.16",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.16",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: rawnand: brcmnand: fix PM resume warning\n\nFixed warning on PM resume as shown below caused due to uninitialized\nstruct nand_operation that checks chip select field :\nWARN_ON(op-\u003ecs \u003e= nanddev_ntargets(\u0026chip-\u003ebase)\n\n[   14.588522] ------------[ cut here ]------------\n[   14.588529] WARNING: CPU: 0 PID: 1392 at drivers/mtd/nand/raw/internals.h:139 nand_reset_op+0x1e0/0x1f8\n[   14.588553] Modules linked in: bdc udc_core\n[   14.588579] CPU: 0 UID: 0 PID: 1392 Comm: rtcwake Tainted: G        W          6.14.0-rc4-g5394eea10651 #16\n[   14.588590] Tainted: [W]=WARN\n[   14.588593] Hardware name: Broadcom STB (Flattened Device Tree)\n[   14.588598] Call trace:\n[   14.588604]  dump_backtrace from show_stack+0x18/0x1c\n[   14.588622]  r7:00000009 r6:0000008b r5:60000153 r4:c0fa558c\n[   14.588625]  show_stack from dump_stack_lvl+0x70/0x7c\n[   14.588639]  dump_stack_lvl from dump_stack+0x18/0x1c\n[   14.588653]  r5:c08d40b0 r4:c1003cb0\n[   14.588656]  dump_stack from __warn+0x84/0xe4\n[   14.588668]  __warn from warn_slowpath_fmt+0x18c/0x194\n[   14.588678]  r7:c08d40b0 r6:c1003cb0 r5:00000000 r4:00000000\n[   14.588681]  warn_slowpath_fmt from nand_reset_op+0x1e0/0x1f8\n[   14.588695]  r8:70c40dff r7:89705f41 r6:36b4a597 r5:c26c9444 r4:c26b0048\n[   14.588697]  nand_reset_op from brcmnand_resume+0x13c/0x150\n[   14.588714]  r9:00000000 r8:00000000 r7:c24f8010 r6:c228a3f8 r5:c26c94bc r4:c26b0040\n[   14.588717]  brcmnand_resume from platform_pm_resume+0x34/0x54\n[   14.588735]  r5:00000010 r4:c0840a50\n[   14.588738]  platform_pm_resume from dpm_run_callback+0x5c/0x14c\n[   14.588757]  dpm_run_callback from device_resume+0xc0/0x324\n[   14.588776]  r9:c24f8054 r8:c24f80a0 r7:00000000 r6:00000000 r5:00000010 r4:c24f8010\n[   14.588779]  device_resume from dpm_resume+0x130/0x160\n[   14.588799]  r9:c22539e4 r8:00000010 r7:c22bebb0 r6:c24f8010 r5:c22539dc r4:c22539b0\n[   14.588802]  dpm_resume from dpm_resume_end+0x14/0x20\n[   14.588822]  r10:c2204e40 r9:00000000 r8:c228a3fc r7:00000000 r6:00000003 r5:c228a414\n[   14.588826]  r4:00000010\n[   14.588828]  dpm_resume_end from suspend_devices_and_enter+0x274/0x6f8\n[   14.588848]  r5:c228a414 r4:00000000\n[   14.588851]  suspend_devices_and_enter from pm_suspend+0x228/0x2bc\n[   14.588868]  r10:c3502910 r9:c3501f40 r8:00000004 r7:c228a438 r6:c0f95e18 r5:00000000\n[   14.588871]  r4:00000003\n[   14.588874]  pm_suspend from state_store+0x74/0xd0\n[   14.588889]  r7:c228a438 r6:c0f934c8 r5:00000003 r4:00000003\n[   14.588892]  state_store from kobj_attr_store+0x1c/0x28\n[   14.588913]  r9:00000000 r8:00000000 r7:f09f9f08 r6:00000004 r5:c3502900 r4:c0283250\n[   14.588916]  kobj_attr_store from sysfs_kf_write+0x40/0x4c\n[   14.588936]  r5:c3502900 r4:c0d92a48\n[   14.588939]  sysfs_kf_write from kernfs_fop_write_iter+0x104/0x1f0\n[   14.588956]  r5:c3502900 r4:c3501f40\n[   14.588960]  kernfs_fop_write_iter from vfs_write+0x250/0x420\n[   14.588980]  r10:c0e14b48 r9:00000000 r8:c25f5780 r7:00443398 r6:f09f9f68 r5:c34f7f00\n[   14.588983]  r4:c042a88c\n[   14.588987]  vfs_write from ksys_write+0x74/0xe4\n[   14.589005]  r10:00000004 r9:c25f5780 r8:c02002fA0 r7:00000000 r6:00000000 r5:c34f7f00\n[   14.589008]  r4:c34f7f00\n[   14.589011]  ksys_write from sys_write+0x10/0x14\n[   14.589029]  r7:00000004 r6:004421c0 r5:00443398 r4:00000004\n[   14.589032]  sys_write from ret_fast_syscall+0x0/0x5c\n[   14.589044] Exception stack(0xf09f9fa8 to 0xf09f9ff0)\n[   14.589050] 9fa0:                   00000004 00443398 00000004 00443398 00000004 00000001\n[   14.589056] 9fc0: 00000004 00443398 004421c0 00000004 b6ecbd58 00000008 bebfbc38 0043eb78\n[   14.589062] 9fe0: 00440eb0 bebfbaf8 b6de18a0 b6e579e8\n[   14.589065] ---[ end trace 0000000000000000 ]---\n\nThe fix uses the higher level nand_reset(chip, chipnr); where chipnr = 0, when\ndoing PM resume operation in compliance with the controller support for single\ndie nand chip. Switching from nand_reset_op() to nan\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:22:03.069Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6f567c6a5250e3531cfd9c7ff254ecc2650464fa"
        },
        {
          "url": "https://git.kernel.org/stable/c/8775581e1c48e1bdd04a893d6f6bbe5128ad0ea7"
        },
        {
          "url": "https://git.kernel.org/stable/c/fbcb584efa5cd912ff8a151d67b8fe22f4162a85"
        },
        {
          "url": "https://git.kernel.org/stable/c/9dd161f707ecb7db38e5f529e979a5b6eb565b2d"
        },
        {
          "url": "https://git.kernel.org/stable/c/9bd51723ab51580e077c91d494c37e80703b8524"
        },
        {
          "url": "https://git.kernel.org/stable/c/7266066b9469f04ed1d4c0fdddaea1425835eb55"
        },
        {
          "url": "https://git.kernel.org/stable/c/c2eb3cffb0d972c5503e4d48921971c81def0fe5"
        },
        {
          "url": "https://git.kernel.org/stable/c/659b1f29f3e2fd5d751fdf35c5526d1f1c9b3dd2"
        },
        {
          "url": "https://git.kernel.org/stable/c/ddc210cf8b8a8be68051ad958bf3e2cef6b681c2"
        }
      ],
      "title": "mtd: rawnand: brcmnand: fix PM resume warning",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37840",
    "datePublished": "2025-05-09T06:41:50.015Z",
    "dateReserved": "2025-04-16T04:51:23.952Z",
    "dateUpdated": "2025-11-03T19:56:15.093Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37860 (GCVE-0-2025-37860)

Vulnerability from cvelistv5 – Published: 2025-04-18 07:01 – Updated: 2025-11-02 13:30

Title

sfc: fix NULL dereferences in ef100_process_design_param()

Summary

In the Linux kernel, the following vulnerability has been resolved: sfc: fix NULL dereferences in ef100_process_design_param() Since cited commit, ef100_probe_main() and hence also ef100_check_design_params() run before efx->net_dev is created; consequently, we cannot netif_set_tso_max_size() or _segs() at this point. Move those netif calls to ef100_probe_netdev(), and also replace netif_err within the design params code with pci_err.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-476 - NULL Pointer Dereference

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/f21623b8446735b5e…
	https://git.kernel.org/stable/c/e56391011381d6d02…
	https://git.kernel.org/stable/c/8241ecec1cdc6699a…

Impacted products

Vendor

Product

Version

Linux

Affected: 98ff4c7c8ac7f5339aac6114105395fea19f992e , < f21623b8446735b5e2ac5f8ee69b8743177d7b19 (git)
Affected: 98ff4c7c8ac7f5339aac6114105395fea19f992e , < e56391011381d6d029da377a65ac314cb3d5def2 (git)
Affected: 98ff4c7c8ac7f5339aac6114105395fea19f992e , < 8241ecec1cdc6699ae197d52d58e76bddd995fa5 (git)

Linux

Affected: 6.0
Unaffected: 0 , < 6.0 (semver)
Unaffected: 6.12.57 , ≤ 6.12.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-37860",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T16:14:46.502915Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-476",
                "description": "CWE-476 NULL Pointer Dereference",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T16:14:52.389Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/sfc/ef100_netdev.c",
            "drivers/net/ethernet/sfc/ef100_nic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "f21623b8446735b5e2ac5f8ee69b8743177d7b19",
              "status": "affected",
              "version": "98ff4c7c8ac7f5339aac6114105395fea19f992e",
              "versionType": "git"
            },
            {
              "lessThan": "e56391011381d6d029da377a65ac314cb3d5def2",
              "status": "affected",
              "version": "98ff4c7c8ac7f5339aac6114105395fea19f992e",
              "versionType": "git"
            },
            {
              "lessThan": "8241ecec1cdc6699ae197d52d58e76bddd995fa5",
              "status": "affected",
              "version": "98ff4c7c8ac7f5339aac6114105395fea19f992e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/sfc/ef100_netdev.c",
            "drivers/net/ethernet/sfc/ef100_nic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.0"
            },
            {
              "lessThan": "6.0",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.57",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.57",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.0",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nsfc: fix NULL dereferences in ef100_process_design_param()\n\nSince cited commit, ef100_probe_main() and hence also\n ef100_check_design_params() run before efx-\u003enet_dev is created;\n consequently, we cannot netif_set_tso_max_size() or _segs() at this\n point.\nMove those netif calls to ef100_probe_netdev(), and also replace\n netif_err within the design params code with pci_err."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-11-02T13:30:36.755Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/f21623b8446735b5e2ac5f8ee69b8743177d7b19"
        },
        {
          "url": "https://git.kernel.org/stable/c/e56391011381d6d029da377a65ac314cb3d5def2"
        },
        {
          "url": "https://git.kernel.org/stable/c/8241ecec1cdc6699ae197d52d58e76bddd995fa5"
        }
      ],
      "title": "sfc: fix NULL dereferences in ef100_process_design_param()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37860",
    "datePublished": "2025-04-18T07:01:28.132Z",
    "dateReserved": "2025-04-16T04:51:23.957Z",
    "dateUpdated": "2025-11-02T13:30:36.755Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-23153 (GCVE-0-2025-23153)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-05-26 05:19

Title

arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()

Summary

In the Linux kernel, the following vulnerability has been resolved: arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch() Fix a silly bug where an array was used outside of its scope.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d8eba735be74e7477…
	https://git.kernel.org/stable/c/3371f569223c4e8d3…

Impacted products

Vendor

Product

Version

Linux

Affected: 1684e8293605062dee45a5e4118fe8db6cd0d9d9 , < d8eba735be74e74776f9f6d9c691bdb75b08b29c (git)
Affected: 1684e8293605062dee45a5e4118fe8db6cd0d9d9 , < 3371f569223c4e8d36edbb0ba789ee5f5cb7316f (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/arm/lib/crc-t10dif-glue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d8eba735be74e74776f9f6d9c691bdb75b08b29c",
              "status": "affected",
              "version": "1684e8293605062dee45a5e4118fe8db6cd0d9d9",
              "versionType": "git"
            },
            {
              "lessThan": "3371f569223c4e8d36edbb0ba789ee5f5cb7316f",
              "status": "affected",
              "version": "1684e8293605062dee45a5e4118fe8db6cd0d9d9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/arm/lib/crc-t10dif-glue.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\narm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()\n\nFix a silly bug where an array was used outside of its scope."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:35.495Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d8eba735be74e74776f9f6d9c691bdb75b08b29c"
        },
        {
          "url": "https://git.kernel.org/stable/c/3371f569223c4e8d36edbb0ba789ee5f5cb7316f"
        }
      ],
      "title": "arm/crc-t10dif: fix use of out-of-scope array in crc_t10dif_arch()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23153",
    "datePublished": "2025-05-01T12:55:40.116Z",
    "dateReserved": "2025-01-11T14:28:41.513Z",
    "dateUpdated": "2025-05-26T05:19:35.495Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21791 (GCVE-0-2025-21791)

Vulnerability from cvelistv5 – Published: 2025-02-27 02:18 – Updated: 2025-11-03 20:59

Title

vrf: use RCU protection in l3mdev_l3_out()

Summary

In the Linux kernel, the following vulnerability has been resolved: vrf: use RCU protection in l3mdev_l3_out() l3mdev_l3_out() can be called without RCU being held: raw_sendmsg() ip_push_pending_frames() ip_send_skb() ip_local_out() __ip_local_out() l3mdev_ip_out() Add rcu_read_lock() / rcu_read_unlock() pair to avoid a potential UAF.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6ccaa5797f5362a2a…
	https://git.kernel.org/stable/c/20a3489b396764cc9…
	https://git.kernel.org/stable/c/5bb4228c32261d06e…
	https://git.kernel.org/stable/c/c7574740be8ce68a5…
	https://git.kernel.org/stable/c/c40cb5c03e37552d6…
	https://git.kernel.org/stable/c/022cac1c693add610…
	https://git.kernel.org/stable/c/7b81425b517accefd…
	https://git.kernel.org/stable/c/6d0ce46a93135d96b…

Impacted products

Vendor

Product

Version

Linux

Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 20a3489b396764cc9376e32a9172bee26a89dc3b (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 5bb4228c32261d06e4fbece37ec3828bcc005b6b (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < c7574740be8ce68a57d0aece24987b9be2114c3c (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < c40cb5c03e37552d6eff963187109e2c3f78ef6f (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 022cac1c693add610ae76ede03adf4d9d5a2cf21 (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 7b81425b517accefd46bee854d94954f5c57e019 (git)
Affected: a8e3e1a9f02094145580ea7920c6a1d9aabd5539 , < 6d0ce46a93135d96b7fa075a94a88fe0da8e8773 (git)

Linux

Affected: 4.9
Unaffected: 0 , < 4.9 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.79 , ≤ 6.6.* (semver)
Unaffected: 6.12.16 , ≤ 6.12.* (semver)
Unaffected: 6.13.4 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21791",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T17:57:16.236835Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:02:26.723Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T20:59:34.647Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "include/net/l3mdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "20a3489b396764cc9376e32a9172bee26a89dc3b",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "5bb4228c32261d06e4fbece37ec3828bcc005b6b",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "c7574740be8ce68a57d0aece24987b9be2114c3c",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "c40cb5c03e37552d6eff963187109e2c3f78ef6f",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "022cac1c693add610ae76ede03adf4d9d5a2cf21",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "7b81425b517accefd46bee854d94954f5c57e019",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            },
            {
              "lessThan": "6d0ce46a93135d96b7fa075a94a88fe0da8e8773",
              "status": "affected",
              "version": "a8e3e1a9f02094145580ea7920c6a1d9aabd5539",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "include/net/l3mdev.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.9"
            },
            {
              "lessThan": "4.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.79",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.16",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.79",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.16",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.4",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "4.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nvrf: use RCU protection in l3mdev_l3_out()\n\nl3mdev_l3_out() can be called without RCU being held:\n\nraw_sendmsg()\n ip_push_pending_frames()\n  ip_send_skb()\n   ip_local_out()\n    __ip_local_out()\n     l3mdev_ip_out()\n\nAdd rcu_read_lock() / rcu_read_unlock() pair to avoid\na potential UAF."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:21:18.929Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6ccaa5797f5362a2aad6baa6ddaf4715ac2dd51e"
        },
        {
          "url": "https://git.kernel.org/stable/c/20a3489b396764cc9376e32a9172bee26a89dc3b"
        },
        {
          "url": "https://git.kernel.org/stable/c/5bb4228c32261d06e4fbece37ec3828bcc005b6b"
        },
        {
          "url": "https://git.kernel.org/stable/c/c7574740be8ce68a57d0aece24987b9be2114c3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/c40cb5c03e37552d6eff963187109e2c3f78ef6f"
        },
        {
          "url": "https://git.kernel.org/stable/c/022cac1c693add610ae76ede03adf4d9d5a2cf21"
        },
        {
          "url": "https://git.kernel.org/stable/c/7b81425b517accefd46bee854d94954f5c57e019"
        },
        {
          "url": "https://git.kernel.org/stable/c/6d0ce46a93135d96b7fa075a94a88fe0da8e8773"
        }
      ],
      "title": "vrf: use RCU protection in l3mdev_l3_out()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21791",
    "datePublished": "2025-02-27T02:18:29.014Z",
    "dateReserved": "2024-12-29T08:45:45.766Z",
    "dateUpdated": "2025-11-03T20:59:34.647Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21966 (GCVE-0-2025-21966)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-10-01 18:16

Title

dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature

Summary

In the Linux kernel, the following vulnerability has been resolved: dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature Fix memory corruption due to incorrect parameter being passed to bio_init

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-787 - Out-of-bounds Write

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/818330f756f3800c3…
	https://git.kernel.org/stable/c/5a87e46da2418c57b…
	https://git.kernel.org/stable/c/da070843e153471be…
	https://git.kernel.org/stable/c/57e9417f69839cb10…

Impacted products

Vendor

Product

Version

Linux

Affected: 1d9a943898533e83f20370c0e1448d606627522e , < 818330f756f3800c37d738bd36bce60eac949938 (git)
Affected: 1d9a943898533e83f20370c0e1448d606627522e , < 5a87e46da2418c57b445371f5ca0958d5779ba5f (git)
Affected: 1d9a943898533e83f20370c0e1448d606627522e , < da070843e153471be4297a12fdaa64023276f40e (git)
Affected: 1d9a943898533e83f20370c0e1448d606627522e , < 57e9417f69839cb10f7ffca684c38acd28ceb57b (git)

Linux

Affected: 6.5
Unaffected: 0 , < 6.5 (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21966",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T18:16:20.613850Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-787",
                "description": "CWE-787 Out-of-bounds Write",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T18:16:24.672Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-flakey.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "818330f756f3800c37d738bd36bce60eac949938",
              "status": "affected",
              "version": "1d9a943898533e83f20370c0e1448d606627522e",
              "versionType": "git"
            },
            {
              "lessThan": "5a87e46da2418c57b445371f5ca0958d5779ba5f",
              "status": "affected",
              "version": "1d9a943898533e83f20370c0e1448d606627522e",
              "versionType": "git"
            },
            {
              "lessThan": "da070843e153471be4297a12fdaa64023276f40e",
              "status": "affected",
              "version": "1d9a943898533e83f20370c0e1448d606627522e",
              "versionType": "git"
            },
            {
              "lessThan": "57e9417f69839cb10f7ffca684c38acd28ceb57b",
              "status": "affected",
              "version": "1d9a943898533e83f20370c0e1448d606627522e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/md/dm-flakey.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.5"
            },
            {
              "lessThan": "6.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndm-flakey: Fix memory corruption in optional corrupt_bio_byte feature\n\nFix memory corruption due to incorrect parameter being passed to bio_init"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:56.882Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/818330f756f3800c37d738bd36bce60eac949938"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a87e46da2418c57b445371f5ca0958d5779ba5f"
        },
        {
          "url": "https://git.kernel.org/stable/c/da070843e153471be4297a12fdaa64023276f40e"
        },
        {
          "url": "https://git.kernel.org/stable/c/57e9417f69839cb10f7ffca684c38acd28ceb57b"
        }
      ],
      "title": "dm-flakey: Fix memory corruption in optional corrupt_bio_byte feature",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21966",
    "datePublished": "2025-04-01T15:47:01.836Z",
    "dateReserved": "2024-12-29T08:45:45.796Z",
    "dateUpdated": "2025-10-01T18:16:24.672Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22104 (GCVE-0-2025-22104)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-05-26 05:18

Title

ibmvnic: Use kernel helpers for hex dumps

Summary

In the Linux kernel, the following vulnerability has been resolved: ibmvnic: Use kernel helpers for hex dumps Previously, when the driver was printing hex dumps, the buffer was cast to an 8 byte long and printed using string formatters. If the buffer size was not a multiple of 8 then a read buffer overflow was possible. Therefore, create a new ibmvnic function that loops over a buffer and calls hex_dump_to_buffer instead. This patch address KASAN reports like the one below: ibmvnic 30000003 env3: Login Buffer: ibmvnic 30000003 env3: 01000000af000000 <...> ibmvnic 30000003 env3: 2e6d62692e736261 ibmvnic 30000003 env3: 65050003006d6f63 ================================================================== BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic] Read of size 8 at addr c0000001331a9aa8 by task ip/17681 <...> Allocated by task 17681: <...> ibmvnic_login+0x2f0/0xffc [ibmvnic] ibmvnic_open+0x148/0x308 [ibmvnic] __dev_open+0x1ac/0x304 <...> The buggy address is located 168 bytes inside of allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf) <...> ================================================================= ibmvnic 30000003 env3: 000000000033766e

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/ae6b1d6c1acee3a20…
	https://git.kernel.org/stable/c/d93a6caab5d7d9b5c…

Impacted products

Vendor

Product

Version

Linux

Affected: 032c5e82847a2214c3196a90f0aeba0ce252de58 , < ae6b1d6c1acee3a2000394d83ec9f1028321e207 (git)
Affected: 032c5e82847a2214c3196a90f0aeba0ce252de58 , < d93a6caab5d7d9b5ce034d75b1e1e993338e3852 (git)

Linux

Affected: 4.5
Unaffected: 0 , < 4.5 (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmvnic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "ae6b1d6c1acee3a2000394d83ec9f1028321e207",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            },
            {
              "lessThan": "d93a6caab5d7d9b5ce034d75b1e1e993338e3852",
              "status": "affected",
              "version": "032c5e82847a2214c3196a90f0aeba0ce252de58",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/ethernet/ibm/ibmvnic.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.5"
            },
            {
              "lessThan": "4.5",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.5",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nibmvnic: Use kernel helpers for hex dumps\n\nPreviously, when the driver was printing hex dumps, the buffer was cast\nto an 8 byte long and printed using string formatters. If the buffer\nsize was not a multiple of 8 then a read buffer overflow was possible.\n\nTherefore, create a new ibmvnic function that loops over a buffer and\ncalls hex_dump_to_buffer instead.\n\nThis patch address KASAN reports like the one below:\n  ibmvnic 30000003 env3: Login Buffer:\n  ibmvnic 30000003 env3: 01000000af000000\n  \u003c...\u003e\n  ibmvnic 30000003 env3: 2e6d62692e736261\n  ibmvnic 30000003 env3: 65050003006d6f63\n  ==================================================================\n  BUG: KASAN: slab-out-of-bounds in ibmvnic_login+0xacc/0xffc [ibmvnic]\n  Read of size 8 at addr c0000001331a9aa8 by task ip/17681\n  \u003c...\u003e\n  Allocated by task 17681:\n  \u003c...\u003e\n  ibmvnic_login+0x2f0/0xffc [ibmvnic]\n  ibmvnic_open+0x148/0x308 [ibmvnic]\n  __dev_open+0x1ac/0x304\n  \u003c...\u003e\n  The buggy address is located 168 bytes inside of\n                allocated 175-byte region [c0000001331a9a00, c0000001331a9aaf)\n  \u003c...\u003e\n  =================================================================\n  ibmvnic 30000003 env3: 000000000033766e"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:32.911Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/ae6b1d6c1acee3a2000394d83ec9f1028321e207"
        },
        {
          "url": "https://git.kernel.org/stable/c/d93a6caab5d7d9b5ce034d75b1e1e993338e3852"
        }
      ],
      "title": "ibmvnic: Use kernel helpers for hex dumps",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22104",
    "datePublished": "2025-04-16T14:12:53.118Z",
    "dateReserved": "2024-12-29T08:45:45.819Z",
    "dateUpdated": "2025-05-26T05:18:32.911Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-23140 (GCVE-0-2025-23140)

Vulnerability from cvelistv5 – Published: 2025-05-01 12:55 – Updated: 2025-11-03 19:42

Title

misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error

Summary

In the Linux kernel, the following vulnerability has been resolved: misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error After devm_request_irq() fails with error in pci_endpoint_test_request_irq(), the pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs have been released. However, some requested IRQs remain unreleased, so there are still /proc/irq/* entries remaining, and this results in WARN() with the following message: remove_proc_entry: removing non-empty directory 'irq/30', leaking at least 'pci-endpoint-test.0' WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c To solve this issue, set the number of remaining IRQs to test->num_irqs, and release IRQs in advance by calling pci_endpoint_test_release_irq(). [kwilczynski: commit log]

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/705be96504779e4a3…
	https://git.kernel.org/stable/c/e516e187bf32d8dec…
	https://git.kernel.org/stable/c/54c9f299ad7d7c4be…
	https://git.kernel.org/stable/c/9d5118b107b1a2353…
	https://git.kernel.org/stable/c/5a4b7181213268c9b…
	https://git.kernel.org/stable/c/0557e70e2aeba8647…
	https://git.kernel.org/stable/c/770407f6173f4f39f…
	https://git.kernel.org/stable/c/f6cb7828c8e17520d…

Impacted products

Vendor

Product

Version

Linux

Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 705be96504779e4a333ea042b4779ea941f0ace9 (git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < e516e187bf32d8decc7c7d0025ae4857cad13c0e (git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 54c9f299ad7d7c4be5d271ed12d01a59e95b8907 (git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 9d5118b107b1a2353ed0dff24404aee2e6b7ca0a (git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 5a4b7181213268c9b07bef8800905528435db44a (git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 0557e70e2aeba8647bf5a950820b67cfb86533db (git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < 770407f6173f4f39f4e2c1b54422b79ce6c98bdb (git)
Affected: e03327122e2c8e6ae4565ef5b3d3cbe4364546a1 , < f6cb7828c8e17520d4f5afb416515d3fae1af9a9 (git)

Linux

Affected: 4.19
Unaffected: 0 , < 4.19 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:25.618Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/pci_endpoint_test.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "705be96504779e4a333ea042b4779ea941f0ace9",
              "status": "affected",
              "version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
              "versionType": "git"
            },
            {
              "lessThan": "e516e187bf32d8decc7c7d0025ae4857cad13c0e",
              "status": "affected",
              "version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
              "versionType": "git"
            },
            {
              "lessThan": "54c9f299ad7d7c4be5d271ed12d01a59e95b8907",
              "status": "affected",
              "version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
              "versionType": "git"
            },
            {
              "lessThan": "9d5118b107b1a2353ed0dff24404aee2e6b7ca0a",
              "status": "affected",
              "version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
              "versionType": "git"
            },
            {
              "lessThan": "5a4b7181213268c9b07bef8800905528435db44a",
              "status": "affected",
              "version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
              "versionType": "git"
            },
            {
              "lessThan": "0557e70e2aeba8647bf5a950820b67cfb86533db",
              "status": "affected",
              "version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
              "versionType": "git"
            },
            {
              "lessThan": "770407f6173f4f39f4e2c1b54422b79ce6c98bdb",
              "status": "affected",
              "version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
              "versionType": "git"
            },
            {
              "lessThan": "f6cb7828c8e17520d4f5afb416515d3fae1af9a9",
              "status": "affected",
              "version": "e03327122e2c8e6ae4565ef5b3d3cbe4364546a1",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/misc/pci_endpoint_test.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.19"
            },
            {
              "lessThan": "4.19",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.19",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmisc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error\n\nAfter devm_request_irq() fails with error in pci_endpoint_test_request_irq(),\nthe pci_endpoint_test_free_irq_vectors() is called assuming that all IRQs\nhave been released.\n\nHowever, some requested IRQs remain unreleased, so there are still\n/proc/irq/* entries remaining, and this results in WARN() with the\nfollowing message:\n\n  remove_proc_entry: removing non-empty directory \u0027irq/30\u0027, leaking at least \u0027pci-endpoint-test.0\u0027\n  WARNING: CPU: 0 PID: 202 at fs/proc/generic.c:719 remove_proc_entry +0x190/0x19c\n\nTo solve this issue, set the number of remaining IRQs to test-\u003enum_irqs,\nand release IRQs in advance by calling pci_endpoint_test_release_irq().\n\n[kwilczynski: commit log]"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:19:18.948Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/705be96504779e4a333ea042b4779ea941f0ace9"
        },
        {
          "url": "https://git.kernel.org/stable/c/e516e187bf32d8decc7c7d0025ae4857cad13c0e"
        },
        {
          "url": "https://git.kernel.org/stable/c/54c9f299ad7d7c4be5d271ed12d01a59e95b8907"
        },
        {
          "url": "https://git.kernel.org/stable/c/9d5118b107b1a2353ed0dff24404aee2e6b7ca0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/5a4b7181213268c9b07bef8800905528435db44a"
        },
        {
          "url": "https://git.kernel.org/stable/c/0557e70e2aeba8647bf5a950820b67cfb86533db"
        },
        {
          "url": "https://git.kernel.org/stable/c/770407f6173f4f39f4e2c1b54422b79ce6c98bdb"
        },
        {
          "url": "https://git.kernel.org/stable/c/f6cb7828c8e17520d4f5afb416515d3fae1af9a9"
        }
      ],
      "title": "misc: pci_endpoint_test: Avoid issue of interrupts remaining after request_irq error",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-23140",
    "datePublished": "2025-05-01T12:55:30.885Z",
    "dateReserved": "2025-01-11T14:28:41.512Z",
    "dateUpdated": "2025-11-03T19:42:25.618Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-58092 (GCVE-0-2024-58092)

Vulnerability from cvelistv5 – Published: 2025-04-16 10:24 – Updated: 2025-05-04 10:09

Title

nfsd: fix legacy client tracking initialization

Summary

In the Linux kernel, the following vulnerability has been resolved: nfsd: fix legacy client tracking initialization Get rid of the nfsd4_legacy_tracking_ops->init() call in check_for_legacy_methods(). That will be handled in the caller (nfsd4_client_tracking_init()). Otherwise, we'll wind up calling nfsd4_legacy_tracking_ops->init() twice, and the second time we'll trigger the BUG_ON() in nfsd4_init_recdir().

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/95407304253a4bf03…
	https://git.kernel.org/stable/c/cdd66082b227eb695…
	https://git.kernel.org/stable/c/de71d4e211eddb670…

Impacted products

Vendor

Product

Version

Linux

Affected: 74fd48739d0488e39ae18b0168720f449a06690c , < 95407304253a4bf03494d921c6913e220c26cc63 (git)
Affected: 74fd48739d0488e39ae18b0168720f449a06690c , < cdd66082b227eb695cbf54b7c121ea032e869981 (git)
Affected: 74fd48739d0488e39ae18b0168720f449a06690c , < de71d4e211eddb670b285a0ea477a299601ce1ca (git)

Linux

Affected: 6.8
Unaffected: 0 , < 6.8 (semver)
Unaffected: 6.12.22 , ≤ 6.12.* (semver)
Unaffected: 6.13.10 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4recover.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "95407304253a4bf03494d921c6913e220c26cc63",
              "status": "affected",
              "version": "74fd48739d0488e39ae18b0168720f449a06690c",
              "versionType": "git"
            },
            {
              "lessThan": "cdd66082b227eb695cbf54b7c121ea032e869981",
              "status": "affected",
              "version": "74fd48739d0488e39ae18b0168720f449a06690c",
              "versionType": "git"
            },
            {
              "lessThan": "de71d4e211eddb670b285a0ea477a299601ce1ca",
              "status": "affected",
              "version": "74fd48739d0488e39ae18b0168720f449a06690c",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/nfsd/nfs4recover.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.8"
            },
            {
              "lessThan": "6.8",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.22",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.10",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.22",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.10",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "6.8",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nnfsd: fix legacy client tracking initialization\n\nGet rid of the nfsd4_legacy_tracking_ops-\u003einit() call in\ncheck_for_legacy_methods().  That will be handled in the caller\n(nfsd4_client_tracking_init()).  Otherwise, we\u0027ll wind up calling\nnfsd4_legacy_tracking_ops-\u003einit() twice, and the second time we\u0027ll\ntrigger the BUG_ON() in nfsd4_init_recdir()."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:54.155Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/95407304253a4bf03494d921c6913e220c26cc63"
        },
        {
          "url": "https://git.kernel.org/stable/c/cdd66082b227eb695cbf54b7c121ea032e869981"
        },
        {
          "url": "https://git.kernel.org/stable/c/de71d4e211eddb670b285a0ea477a299601ce1ca"
        }
      ],
      "title": "nfsd: fix legacy client tracking initialization",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58092",
    "datePublished": "2025-04-16T10:24:53.056Z",
    "dateReserved": "2025-03-06T15:52:09.188Z",
    "dateUpdated": "2025-05-04T10:09:54.155Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37760 (GCVE-0-2025-37760)

Vulnerability from cvelistv5 – Published: 2025-05-01 13:07 – Updated: 2025-05-26 05:20

Title

mm/vma: add give_up_on_oom option on modify/merge, use in uffd release

Summary

In the Linux kernel, the following vulnerability has been resolved: mm/vma: add give_up_on_oom option on modify/merge, use in uffd release Currently, if a VMA merge fails due to an OOM condition arising on commit merge or a failure to duplicate anon_vma's, we report this so the caller can handle it. However there are cases where the caller is only ostensibly trying a merge, and doesn't mind if it fails due to this condition. Since we do not want to introduce an implicit assumption that we only actually modify VMAs after OOM conditions might arise, add a 'give up on oom' option and make an explicit contract that, should this flag be set, we absolutely will not modify any VMAs should OOM arise and just bail out. Since it'd be very unusual for a user to try to vma_modify() with this flag set but be specifying a range within a VMA which ends up being split (which can fail due to rlimit issues, not only OOM), we add a debug warning for this condition. The motivating reason for this is uffd release - syzkaller (and Pedro Falcato's VERY astute analysis) found a way in which an injected fault on allocation, triggering an OOM condition on commit merge, would result in uffd code becoming confused and treating an error value as if it were a VMA pointer. To avoid this, we make use of this new VMG flag to ensure that this never occurs, utilising the fact that, should we be clearing entire VMAs, we do not wish an OOM event to be reported to us. Many thanks to Pedro Falcato for his excellent analysis and Jann Horn for his insightful and intelligent analysis of the situation, both of whom were instrumental in this fix.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b906c1ad25adce6ff…
	https://git.kernel.org/stable/c/c103a75c61648203d…
	https://git.kernel.org/stable/c/41e6ddcaa0f18dda4…

Impacted products

Vendor

Product

Version

Linux

Affected: 79636d2981b066acd945117387a9533f56411f6f , < b906c1ad25adce6ff35be19b65a1aa7d960fe1d7 (git)
Affected: 47b16d0462a460000b8f05dfb1292377ac48f3ca , < c103a75c61648203d731e3b97a6fbeea4003cb15 (git)
Affected: 47b16d0462a460000b8f05dfb1292377ac48f3ca , < 41e6ddcaa0f18dda4c3fadf22533775a30d6f72f (git)
Affected: 53fd215f7886a1e8dea5a9ca1391dbb697fff601 (git)

Linux

Affected: 6.14
Unaffected: 0 , < 6.14 (semver)
Unaffected: 6.12.25 , ≤ 6.12.* (semver)
Unaffected: 6.14.4 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "mm/userfaultfd.c",
            "mm/vma.c",
            "mm/vma.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b906c1ad25adce6ff35be19b65a1aa7d960fe1d7",
              "status": "affected",
              "version": "79636d2981b066acd945117387a9533f56411f6f",
              "versionType": "git"
            },
            {
              "lessThan": "c103a75c61648203d731e3b97a6fbeea4003cb15",
              "status": "affected",
              "version": "47b16d0462a460000b8f05dfb1292377ac48f3ca",
              "versionType": "git"
            },
            {
              "lessThan": "41e6ddcaa0f18dda4c3fadf22533775a30d6f72f",
              "status": "affected",
              "version": "47b16d0462a460000b8f05dfb1292377ac48f3ca",
              "versionType": "git"
            },
            {
              "status": "affected",
              "version": "53fd215f7886a1e8dea5a9ca1391dbb697fff601",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "mm/userfaultfd.c",
            "mm/vma.c",
            "mm/vma.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.14"
            },
            {
              "lessThan": "6.14",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.25",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.4",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.25",
                  "versionStartIncluding": "6.12.19",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.4",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.14",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionStartIncluding": "6.13.7",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmm/vma: add give_up_on_oom option on modify/merge, use in uffd release\n\nCurrently, if a VMA merge fails due to an OOM condition arising on commit\nmerge or a failure to duplicate anon_vma\u0027s, we report this so the caller\ncan handle it.\n\nHowever there are cases where the caller is only ostensibly trying a\nmerge, and doesn\u0027t mind if it fails due to this condition.\n\nSince we do not want to introduce an implicit assumption that we only\nactually modify VMAs after OOM conditions might arise, add a \u0027give up on\noom\u0027 option and make an explicit contract that, should this flag be set, we\nabsolutely will not modify any VMAs should OOM arise and just bail out.\n\nSince it\u0027d be very unusual for a user to try to vma_modify() with this flag\nset but be specifying a range within a VMA which ends up being split (which\ncan fail due to rlimit issues, not only OOM), we add a debug warning for\nthis condition.\n\nThe motivating reason for this is uffd release - syzkaller (and Pedro\nFalcato\u0027s VERY astute analysis) found a way in which an injected fault on\nallocation, triggering an OOM condition on commit merge, would result in\nuffd code becoming confused and treating an error value as if it were a VMA\npointer.\n\nTo avoid this, we make use of this new VMG flag to ensure that this never\noccurs, utilising the fact that, should we be clearing entire VMAs, we do\nnot wish an OOM event to be reported to us.\n\nMany thanks to Pedro Falcato for his excellent analysis and Jann Horn for\nhis insightful and intelligent analysis of the situation, both of whom were\ninstrumental in this fix."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:20:17.391Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b906c1ad25adce6ff35be19b65a1aa7d960fe1d7"
        },
        {
          "url": "https://git.kernel.org/stable/c/c103a75c61648203d731e3b97a6fbeea4003cb15"
        },
        {
          "url": "https://git.kernel.org/stable/c/41e6ddcaa0f18dda4c3fadf22533775a30d6f72f"
        }
      ],
      "title": "mm/vma: add give_up_on_oom option on modify/merge, use in uffd release",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37760",
    "datePublished": "2025-05-01T13:07:02.617Z",
    "dateReserved": "2025-04-16T04:51:23.938Z",
    "dateUpdated": "2025-05-26T05:20:17.391Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-21967 (GCVE-0-2025-21967)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:47 – Updated: 2025-05-04 07:25

Title

ksmbd: fix use-after-free in ksmbd_free_work_struct

Summary

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in ksmbd_free_work_struct ->interim_entry of ksmbd_work could be deleted after oplock is freed. We don't need to manage it with linked list. The interim request could be immediately sent whenever a oplock break wait is needed.

Severity ?

7.8 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-416 - Use After Free

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/fb776765bfc21d5e4…
	https://git.kernel.org/stable/c/62746ae3f5414244a…
	https://git.kernel.org/stable/c/eb51f6f59d19b92f6…
	https://git.kernel.org/stable/c/bb39ed47065455604…

Impacted products

Vendor

Product

Version

Linux

Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < fb776765bfc21d5e4ed03bb3d4406c2b86ff1ac3 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < 62746ae3f5414244a96293e3b017be637b641280 (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < eb51f6f59d19b92f6fe84d3873f958495ab32f0a (git)
Affected: 0626e6641f6b467447c81dd7678a69c66f7746cf , < bb39ed47065455604729404729d9116868638d31 (git)

Linux

Affected: 5.15
Unaffected: 0 , < 5.15 (semver)
Unaffected: 6.6.84 , ≤ 6.6.* (semver)
Unaffected: 6.12.20 , ≤ 6.12.* (semver)
Unaffected: 6.13.8 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 7.8,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21967",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-04-16T13:14:51.011092Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-416",
                "description": "CWE-416 Use After Free",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-04-16T13:19:52.457Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/ksmbd_work.c",
            "fs/smb/server/ksmbd_work.h",
            "fs/smb/server/oplock.c",
            "fs/smb/server/oplock.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "fb776765bfc21d5e4ed03bb3d4406c2b86ff1ac3",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "62746ae3f5414244a96293e3b017be637b641280",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "eb51f6f59d19b92f6fe84d3873f958495ab32f0a",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            },
            {
              "lessThan": "bb39ed47065455604729404729d9116868638d31",
              "status": "affected",
              "version": "0626e6641f6b467447c81dd7678a69c66f7746cf",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "fs/smb/server/ksmbd_work.c",
            "fs/smb/server/ksmbd_work.h",
            "fs/smb/server/oplock.c",
            "fs/smb/server/oplock.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "5.15"
            },
            {
              "lessThan": "5.15",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.84",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.20",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.8",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.84",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.20",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.8",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "5.15",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nksmbd: fix use-after-free in ksmbd_free_work_struct\n\n-\u003einterim_entry of ksmbd_work could be deleted after oplock is freed.\nWe don\u0027t need to manage it with linked list. The interim request could be\nimmediately sent whenever a oplock break wait is needed."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:25:58.206Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/fb776765bfc21d5e4ed03bb3d4406c2b86ff1ac3"
        },
        {
          "url": "https://git.kernel.org/stable/c/62746ae3f5414244a96293e3b017be637b641280"
        },
        {
          "url": "https://git.kernel.org/stable/c/eb51f6f59d19b92f6fe84d3873f958495ab32f0a"
        },
        {
          "url": "https://git.kernel.org/stable/c/bb39ed47065455604729404729d9116868638d31"
        }
      ],
      "title": "ksmbd: fix use-after-free in ksmbd_free_work_struct",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21967",
    "datePublished": "2025-04-01T15:47:02.364Z",
    "dateReserved": "2024-12-29T08:45:45.796Z",
    "dateUpdated": "2025-05-04T07:25:58.206Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-22045 (GCVE-0-2025-22045)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-11-03 19:41

Title

x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs

Summary

In the Linux kernel, the following vulnerability has been resolved: x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs On the following path, flush_tlb_range() can be used for zapping normal PMD entries (PMD entries that point to page tables) together with the PTE entries in the pointed-to page table: collapse_pte_mapped_thp pmdp_collapse_flush flush_tlb_range The arm64 version of flush_tlb_range() has a comment describing that it can be used for page table removal, and does not use any last-level invalidation optimizations. Fix the X86 version by making it behave the same way. Currently, X86 only uses this information for the following two purposes, which I think means the issue doesn't have much impact: - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be IPI'd to avoid issues with speculative page table walks. - In Hyper-V TLB paravirtualization, again for lazy TLB stuff. The patch "x86/mm: only invalidate final translations with INVLPGB" which is currently under review (see <https://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/>) would probably be making the impact of this a lot worse.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/618d5612ecb7bfc1c…
	https://git.kernel.org/stable/c/556d446068f90981e…
	https://git.kernel.org/stable/c/0a8f806ea6b5dd64b…
	https://git.kernel.org/stable/c/0708fd6bd8161871b…
	https://git.kernel.org/stable/c/7085895c59e4057ff…
	https://git.kernel.org/stable/c/93224deb50a8d20df…
	https://git.kernel.org/stable/c/320ac1af4c0bdb92c…
	https://git.kernel.org/stable/c/78d6f9a9eb2a5da6f…
	https://git.kernel.org/stable/c/3ef938c3503563bfc…

Impacted products

Vendor

Product

Version

Linux

Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 618d5612ecb7bfc1c85342daafeb2b47e29e77a3 (git)
Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 556d446068f90981e5d71ca686bdaccdd545d491 (git)
Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1 (git)
Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 0708fd6bd8161871bfbadced2ca4319b84ab44fe (git)
Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 7085895c59e4057ffae17f58990ccb630087d0d2 (git)
Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 93224deb50a8d20df3884f3672ce9f982129aa50 (git)
Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 320ac1af4c0bdb92c864dc9250d1329234820edf (git)
Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be (git)
Affected: 016c4d92cd16f569c6485ae62b076c1a4b779536 , < 3ef938c3503563bfc2ac15083557f880d29c2e64 (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.4.292 , ≤ 5.4.* (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:41:30.092Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/tlbflush.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "618d5612ecb7bfc1c85342daafeb2b47e29e77a3",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            },
            {
              "lessThan": "556d446068f90981e5d71ca686bdaccdd545d491",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            },
            {
              "lessThan": "0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            },
            {
              "lessThan": "0708fd6bd8161871bfbadced2ca4319b84ab44fe",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            },
            {
              "lessThan": "7085895c59e4057ffae17f58990ccb630087d0d2",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            },
            {
              "lessThan": "93224deb50a8d20df3884f3672ce9f982129aa50",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            },
            {
              "lessThan": "320ac1af4c0bdb92c864dc9250d1329234820edf",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            },
            {
              "lessThan": "78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            },
            {
              "lessThan": "3ef938c3503563bfc2ac15083557f880d29c2e64",
              "status": "affected",
              "version": "016c4d92cd16f569c6485ae62b076c1a4b779536",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "arch/x86/include/asm/tlbflush.h"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "4.20"
            },
            {
              "lessThan": "4.20",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.292",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.236",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.180",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.292",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.236",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.180",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "4.20",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nx86/mm: Fix flush_tlb_range() when used for zapping normal PMDs\n\nOn the following path, flush_tlb_range() can be used for zapping normal\nPMD entries (PMD entries that point to page tables) together with the PTE\nentries in the pointed-to page table:\n\n    collapse_pte_mapped_thp\n      pmdp_collapse_flush\n        flush_tlb_range\n\nThe arm64 version of flush_tlb_range() has a comment describing that it can\nbe used for page table removal, and does not use any last-level\ninvalidation optimizations. Fix the X86 version by making it behave the\nsame way.\n\nCurrently, X86 only uses this information for the following two purposes,\nwhich I think means the issue doesn\u0027t have much impact:\n\n - In native_flush_tlb_multi() for checking if lazy TLB CPUs need to be\n   IPI\u0027d to avoid issues with speculative page table walks.\n - In Hyper-V TLB paravirtualization, again for lazy TLB stuff.\n\nThe patch \"x86/mm: only invalidate final translations with INVLPGB\" which\nis currently under review (see\n\u003chttps://lore.kernel.org/all/20241230175550.4046587-13-riel@surriel.com/\u003e)\nwould probably be making the impact of this a lot worse."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:17:16.433Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/618d5612ecb7bfc1c85342daafeb2b47e29e77a3"
        },
        {
          "url": "https://git.kernel.org/stable/c/556d446068f90981e5d71ca686bdaccdd545d491"
        },
        {
          "url": "https://git.kernel.org/stable/c/0a8f806ea6b5dd64b3d1f05ff774817d5f7ddbd1"
        },
        {
          "url": "https://git.kernel.org/stable/c/0708fd6bd8161871bfbadced2ca4319b84ab44fe"
        },
        {
          "url": "https://git.kernel.org/stable/c/7085895c59e4057ffae17f58990ccb630087d0d2"
        },
        {
          "url": "https://git.kernel.org/stable/c/93224deb50a8d20df3884f3672ce9f982129aa50"
        },
        {
          "url": "https://git.kernel.org/stable/c/320ac1af4c0bdb92c864dc9250d1329234820edf"
        },
        {
          "url": "https://git.kernel.org/stable/c/78d6f9a9eb2a5da6fcbd76d6191d24b0dcc321be"
        },
        {
          "url": "https://git.kernel.org/stable/c/3ef938c3503563bfc2ac15083557f880d29c2e64"
        }
      ],
      "title": "x86/mm: Fix flush_tlb_range() when used for zapping normal PMDs",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22045",
    "datePublished": "2025-04-16T14:12:05.849Z",
    "dateReserved": "2024-12-29T08:45:45.810Z",
    "dateUpdated": "2025-11-03T19:41:30.092Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21862 (GCVE-0-2025-21862)

Vulnerability from cvelistv5 – Published: 2025-03-12 09:42 – Updated: 2025-11-03 19:38

Title

drop_monitor: fix incorrect initialization order

Summary

In the Linux kernel, the following vulnerability has been resolved: drop_monitor: fix incorrect initialization order Syzkaller reports the following bug: BUG: spinlock bad magic on CPU#1, syz-executor.0/7995 lock: 0xffff88805303f3e0, .magic: 00000000, .owner: <none>/-1, .owner_cpu: 0 CPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G E 5.10.209+ #1 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x119/0x179 lib/dump_stack.c:118 debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline] do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline] _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159 reset_per_cpu_data+0xe6/0x240 [drop_monitor] net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor] genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739 genl_family_rcv_msg net/netlink/genetlink.c:783 [inline] genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800 netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497 genl_rcv+0x29/0x40 net/netlink/genetlink.c:811 netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline] netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348 netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916 sock_sendmsg_nosec net/socket.c:651 [inline] __sock_sendmsg+0x157/0x190 net/socket.c:663 ____sys_sendmsg+0x712/0x870 net/socket.c:2378 ___sys_sendmsg+0xf8/0x170 net/socket.c:2432 __sys_sendmsg+0xea/0x1b0 net/socket.c:2461 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x62/0xc7 RIP: 0033:0x7f3f9815aee9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9 RDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007 RBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768 If drop_monitor is built as a kernel module, syzkaller may have time to send a netlink NET_DM_CMD_START message during the module loading. This will call the net_dm_monitor_start() function that uses a spinlock that has not yet been initialized. To fix this, let's place resource initialization above the registration of a generic netlink family. Found by InfoTeCS on behalf of Linux Verification Center (linuxtesting.org) with Syzkaller.

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-908 - Use of Uninitialized Resource

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6e9e0f224ffd8b819…
	https://git.kernel.org/stable/c/29f9cdcab3d96d520…
	https://git.kernel.org/stable/c/872c7c7e57a746046…
	https://git.kernel.org/stable/c/fcfc00bfec7bb6661…
	https://git.kernel.org/stable/c/0efa6c42f81c60d8f…
	https://git.kernel.org/stable/c/b7859e8643e75619b…
	https://git.kernel.org/stable/c/219a47d0e6195bd20…
	https://git.kernel.org/stable/c/07b598c0e6f06a0f2…

Impacted products

Vendor

Product

Version

Linux

Affected: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 , < 6e9e0f224ffd8b819da3ea247dda404795fdd182 (git)
Affected: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 , < 29f9cdcab3d96d5207a5c92b52c40ad75e5915d8 (git)
Affected: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 , < 872c7c7e57a746046796ddfead529c9d37b9f6b4 (git)
Affected: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 , < fcfc00bfec7bb6661074cb21356d05a4c9470a3c (git)
Affected: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 , < 0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282 (git)
Affected: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 , < b7859e8643e75619b2705b4fcac93ffd94d72b4a (git)
Affected: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 , < 219a47d0e6195bd202f22855e35f25bd15bc4d58 (git)
Affected: 9a8afc8d3962f3ed26fd6b56db34133860ed1e72 , < 07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea (git)

Linux

Affected: 2.6.30
Unaffected: 0 , < 2.6.30 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.130 , ≤ 6.1.* (semver)
Unaffected: 6.6.80 , ≤ 6.6.* (semver)
Unaffected: 6.12.17 , ≤ 6.12.* (semver)
Unaffected: 6.13.5 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2025-21862",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:25:42.627398Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-908",
                "description": "CWE-908 Use of Uninitialized Resource",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:26:37.640Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:19.222Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "net/core/drop_monitor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "6e9e0f224ffd8b819da3ea247dda404795fdd182",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "29f9cdcab3d96d5207a5c92b52c40ad75e5915d8",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "872c7c7e57a746046796ddfead529c9d37b9f6b4",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "fcfc00bfec7bb6661074cb21356d05a4c9470a3c",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "b7859e8643e75619b2705b4fcac93ffd94d72b4a",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "219a47d0e6195bd202f22855e35f25bd15bc4d58",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            },
            {
              "lessThan": "07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea",
              "status": "affected",
              "version": "9a8afc8d3962f3ed26fd6b56db34133860ed1e72",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "net/core/drop_monitor.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.30"
            },
            {
              "lessThan": "2.6.30",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.130",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.80",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.17",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.130",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.80",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.17",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.5",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.30",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrop_monitor: fix incorrect initialization order\n\nSyzkaller reports the following bug:\n\nBUG: spinlock bad magic on CPU#1, syz-executor.0/7995\n lock: 0xffff88805303f3e0, .magic: 00000000, .owner: \u003cnone\u003e/-1, .owner_cpu: 0\nCPU: 1 PID: 7995 Comm: syz-executor.0 Tainted: G            E     5.10.209+ #1\nHardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020\nCall Trace:\n __dump_stack lib/dump_stack.c:77 [inline]\n dump_stack+0x119/0x179 lib/dump_stack.c:118\n debug_spin_lock_before kernel/locking/spinlock_debug.c:83 [inline]\n do_raw_spin_lock+0x1f6/0x270 kernel/locking/spinlock_debug.c:112\n __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:117 [inline]\n _raw_spin_lock_irqsave+0x50/0x70 kernel/locking/spinlock.c:159\n reset_per_cpu_data+0xe6/0x240 [drop_monitor]\n net_dm_cmd_trace+0x43d/0x17a0 [drop_monitor]\n genl_family_rcv_msg_doit+0x22f/0x330 net/netlink/genetlink.c:739\n genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]\n genl_rcv_msg+0x341/0x5a0 net/netlink/genetlink.c:800\n netlink_rcv_skb+0x14d/0x440 net/netlink/af_netlink.c:2497\n genl_rcv+0x29/0x40 net/netlink/genetlink.c:811\n netlink_unicast_kernel net/netlink/af_netlink.c:1322 [inline]\n netlink_unicast+0x54b/0x800 net/netlink/af_netlink.c:1348\n netlink_sendmsg+0x914/0xe00 net/netlink/af_netlink.c:1916\n sock_sendmsg_nosec net/socket.c:651 [inline]\n __sock_sendmsg+0x157/0x190 net/socket.c:663\n ____sys_sendmsg+0x712/0x870 net/socket.c:2378\n ___sys_sendmsg+0xf8/0x170 net/socket.c:2432\n __sys_sendmsg+0xea/0x1b0 net/socket.c:2461\n do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46\n entry_SYSCALL_64_after_hwframe+0x62/0xc7\nRIP: 0033:0x7f3f9815aee9\nCode: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 \u003c48\u003e 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b0 ff ff ff f7 d8 64 89 01 48\nRSP: 002b:00007f3f972bf0c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e\nRAX: ffffffffffffffda RBX: 00007f3f9826d050 RCX: 00007f3f9815aee9\nRDX: 0000000020000000 RSI: 0000000020001300 RDI: 0000000000000007\nRBP: 00007f3f981b63bd R08: 0000000000000000 R09: 0000000000000000\nR10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000\nR13: 000000000000006e R14: 00007f3f9826d050 R15: 00007ffe01ee6768\n\nIf drop_monitor is built as a kernel module, syzkaller may have time\nto send a netlink NET_DM_CMD_START message during the module loading.\nThis will call the net_dm_monitor_start() function that uses\na spinlock that has not yet been initialized.\n\nTo fix this, let\u0027s place resource initialization above the registration\nof a generic netlink family.\n\nFound by InfoTeCS on behalf of Linux Verification Center\n(linuxtesting.org) with Syzkaller."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T07:22:45.225Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/6e9e0f224ffd8b819da3ea247dda404795fdd182"
        },
        {
          "url": "https://git.kernel.org/stable/c/29f9cdcab3d96d5207a5c92b52c40ad75e5915d8"
        },
        {
          "url": "https://git.kernel.org/stable/c/872c7c7e57a746046796ddfead529c9d37b9f6b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/fcfc00bfec7bb6661074cb21356d05a4c9470a3c"
        },
        {
          "url": "https://git.kernel.org/stable/c/0efa6c42f81c60d8f72ba7f5ed8d4fec8c526282"
        },
        {
          "url": "https://git.kernel.org/stable/c/b7859e8643e75619b2705b4fcac93ffd94d72b4a"
        },
        {
          "url": "https://git.kernel.org/stable/c/219a47d0e6195bd202f22855e35f25bd15bc4d58"
        },
        {
          "url": "https://git.kernel.org/stable/c/07b598c0e6f06a0f254c88dafb4ad50f8a8c6eea"
        }
      ],
      "title": "drop_monitor: fix incorrect initialization order",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21862",
    "datePublished": "2025-03-12T09:42:19.881Z",
    "dateReserved": "2024-12-29T08:45:45.780Z",
    "dateUpdated": "2025-11-03T19:38:19.222Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22087 (GCVE-0-2025-22087)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-05-26 05:18

Title

bpf: Fix array bounds error with may_goto

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf: Fix array bounds error with may_goto may_goto uses an additional 8 bytes on the stack, which causes the interpreters[] array to go out of bounds when calculating index by stack_size. 1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT cases, reject loading directly. 2. For non-JIT cases, calculating interpreters[idx] may still cause out-of-bounds array access, and just warn about it. 3. For jit_requested cases, the execution of bpf_func also needs to be warned. So move the definition of function __bpf_prog_ret0_warn out of the macro definition CONFIG_BPF_JIT_ALWAYS_ON.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/19e6817f84000d0b0…
	https://git.kernel.org/stable/c/4524b7febdd55fb99…
	https://git.kernel.org/stable/c/1a86ae57b2600e574…
	https://git.kernel.org/stable/c/6ebc5030e0c5a698f…

Impacted products

Vendor

Product

Version

Linux

Affected: 011832b97b311bb9e3c27945bc0d1089a14209c9 , < 19e6817f84000d0b06f09fd69ebd56217842c122 (git)
Affected: 011832b97b311bb9e3c27945bc0d1089a14209c9 , < 4524b7febdd55fb99ae2e1f48db64019fa69e643 (git)
Affected: 011832b97b311bb9e3c27945bc0d1089a14209c9 , < 1a86ae57b2600e5749f5f674e9d4296ac00c69a8 (git)
Affected: 011832b97b311bb9e3c27945bc0d1089a14209c9 , < 6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0 (git)

Linux

Affected: 6.9
Unaffected: 0 , < 6.9 (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/core.c",
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "19e6817f84000d0b06f09fd69ebd56217842c122",
              "status": "affected",
              "version": "011832b97b311bb9e3c27945bc0d1089a14209c9",
              "versionType": "git"
            },
            {
              "lessThan": "4524b7febdd55fb99ae2e1f48db64019fa69e643",
              "status": "affected",
              "version": "011832b97b311bb9e3c27945bc0d1089a14209c9",
              "versionType": "git"
            },
            {
              "lessThan": "1a86ae57b2600e5749f5f674e9d4296ac00c69a8",
              "status": "affected",
              "version": "011832b97b311bb9e3c27945bc0d1089a14209c9",
              "versionType": "git"
            },
            {
              "lessThan": "6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0",
              "status": "affected",
              "version": "011832b97b311bb9e3c27945bc0d1089a14209c9",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "kernel/bpf/core.c",
            "kernel/bpf/verifier.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.9"
            },
            {
              "lessThan": "6.9",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.9",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf: Fix array bounds error with may_goto\n\nmay_goto uses an additional 8 bytes on the stack, which causes the\ninterpreters[] array to go out of bounds when calculating index by\nstack_size.\n\n1. If a BPF program is rewritten, re-evaluate the stack size. For non-JIT\ncases, reject loading directly.\n\n2. For non-JIT cases, calculating interpreters[idx] may still cause\nout-of-bounds array access, and just warn about it.\n\n3. For jit_requested cases, the execution of bpf_func also needs to be\nwarned. So move the definition of function __bpf_prog_ret0_warn out of\nthe macro definition CONFIG_BPF_JIT_ALWAYS_ON."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:11.843Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/19e6817f84000d0b06f09fd69ebd56217842c122"
        },
        {
          "url": "https://git.kernel.org/stable/c/4524b7febdd55fb99ae2e1f48db64019fa69e643"
        },
        {
          "url": "https://git.kernel.org/stable/c/1a86ae57b2600e5749f5f674e9d4296ac00c69a8"
        },
        {
          "url": "https://git.kernel.org/stable/c/6ebc5030e0c5a698f1dd9a6684cddf6ccaed64a0"
        }
      ],
      "title": "bpf: Fix array bounds error with may_goto",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22087",
    "datePublished": "2025-04-16T14:12:35.359Z",
    "dateReserved": "2024-12-29T08:45:45.817Z",
    "dateUpdated": "2025-05-26T05:18:11.843Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2025-37800 (GCVE-0-2025-37800)

Vulnerability from cvelistv5 – Published: 2025-05-08 06:26 – Updated: 2026-01-02 15:29

Title

driver core: fix potential NULL pointer dereference in dev_uevent()

Summary

In the Linux kernel, the following vulnerability has been resolved: driver core: fix potential NULL pointer dereference in dev_uevent() If userspace reads "uevent" device attribute at the same time as another threads unbinds the device from its driver, change to dev->driver from a valid pointer to NULL may result in crash. Fix this by using READ_ONCE() when fetching the pointer, and take bus' drivers klist lock to make sure driver instance will not disappear while we access it. Use WRITE_ONCE() when setting the driver pointer to ensure there is no tearing.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/abe56be73eb10a677…
	https://git.kernel.org/stable/c/2b344e779d9afd0fc…
	https://git.kernel.org/stable/c/3781e4b83e1743649…
	https://git.kernel.org/stable/c/18daa52418e7e4629…

Impacted products

Vendor

Product

Version

Linux

Affected: 16574dccd8f62dc1b585325f8a6a0aab10047ed8 , < abe56be73eb10a677d16066f65ff9d30251f5eee (git)
Affected: 16574dccd8f62dc1b585325f8a6a0aab10047ed8 , < 2b344e779d9afd0fcb5ee4000e4d0fc7d8d867eb (git)
Affected: 16574dccd8f62dc1b585325f8a6a0aab10047ed8 , < 3781e4b83e174364998855de777e184cf0b62c40 (git)
Affected: 16574dccd8f62dc1b585325f8a6a0aab10047ed8 , < 18daa52418e7e4629ed1703b64777294209d2622 (git)

Linux

Affected: 2.6.22
Unaffected: 0 , < 2.6.22 (semver)
Unaffected: 6.6.89 , ≤ 6.6.* (semver)
Unaffected: 6.12.26 , ≤ 6.12.* (semver)
Unaffected: 6.14.5 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/base.h",
            "drivers/base/bus.c",
            "drivers/base/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "abe56be73eb10a677d16066f65ff9d30251f5eee",
              "status": "affected",
              "version": "16574dccd8f62dc1b585325f8a6a0aab10047ed8",
              "versionType": "git"
            },
            {
              "lessThan": "2b344e779d9afd0fcb5ee4000e4d0fc7d8d867eb",
              "status": "affected",
              "version": "16574dccd8f62dc1b585325f8a6a0aab10047ed8",
              "versionType": "git"
            },
            {
              "lessThan": "3781e4b83e174364998855de777e184cf0b62c40",
              "status": "affected",
              "version": "16574dccd8f62dc1b585325f8a6a0aab10047ed8",
              "versionType": "git"
            },
            {
              "lessThan": "18daa52418e7e4629ed1703b64777294209d2622",
              "status": "affected",
              "version": "16574dccd8f62dc1b585325f8a6a0aab10047ed8",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/base/base.h",
            "drivers/base/bus.c",
            "drivers/base/core.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.22"
            },
            {
              "lessThan": "2.6.22",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.89",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.26",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.5",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.89",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.26",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.5",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.22",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndriver core: fix potential NULL pointer dereference in dev_uevent()\n\nIf userspace reads \"uevent\" device attribute at the same time as another\nthreads unbinds the device from its driver, change to dev-\u003edriver from a\nvalid pointer to NULL may result in crash. Fix this by using READ_ONCE()\nwhen fetching the pointer, and take bus\u0027 drivers klist lock to make sure\ndriver instance will not disappear while we access it.\n\nUse WRITE_ONCE() when setting the driver pointer to ensure there is no\ntearing."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:29:02.184Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/abe56be73eb10a677d16066f65ff9d30251f5eee"
        },
        {
          "url": "https://git.kernel.org/stable/c/2b344e779d9afd0fcb5ee4000e4d0fc7d8d867eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/3781e4b83e174364998855de777e184cf0b62c40"
        },
        {
          "url": "https://git.kernel.org/stable/c/18daa52418e7e4629ed1703b64777294209d2622"
        }
      ],
      "title": "driver core: fix potential NULL pointer dereference in dev_uevent()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37800",
    "datePublished": "2025-05-08T06:26:01.125Z",
    "dateReserved": "2025-04-16T04:51:23.941Z",
    "dateUpdated": "2026-01-02T15:29:02.184Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-37892 (GCVE-0-2025-37892)

Vulnerability from cvelistv5 – Published: 2025-05-20 11:00 – Updated: 2025-11-03 19:57

Title

mtd: inftlcore: Add error check for inftl_read_oob()

Summary

In the Linux kernel, the following vulnerability has been resolved: mtd: inftlcore: Add error check for inftl_read_oob() In INFTL_findwriteunit(), the return value of inftl_read_oob() need to be checked. A proper implementation can be found in INFTL_deleteblock(). The status will be set as SECTOR_IGNORE to break from the while-loop correctly if the inftl_read_oob() fails.

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/b828d394308e8e00d…
	https://git.kernel.org/stable/c/0300e751170cf80c0…
	https://git.kernel.org/stable/c/e7d6ceff95c55297f…
	https://git.kernel.org/stable/c/6af3b92b1c0b58ca2…
	https://git.kernel.org/stable/c/7772621041ee78823…
	https://git.kernel.org/stable/c/5479a6af3c96f73be…
	https://git.kernel.org/stable/c/1c22356dfb041e529…
	https://git.kernel.org/stable/c/114d94f095aa405fa…
	https://git.kernel.org/stable/c/d027951dc85cb2e15…

Impacted products

Vendor

Product

Version

Linux

Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < b828d394308e8e00df0a6f57e7dabae609bb8b7b (git)
Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < 0300e751170cf80c05ca1a762a7b449e8ca6b693 (git)
Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < e7d6ceff95c55297f0ee8f9dbc4da5c558f30e9e (git)
Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < 6af3b92b1c0b58ca281d0e1501bad2567f73c1a5 (git)
Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < 7772621041ee78823ccc5f1fe38f6faa22af7023 (git)
Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < 5479a6af3c96f73bec2d2819532b6d6814f52dd6 (git)
Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < 1c22356dfb041e5292835c9ff44d5f91bef8dd18 (git)
Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < 114d94f095aa405fa9a51484c4be34846d7bb386 (git)
Affected: 8593fbc68b0df1168995de76d1af38eb62fd6b62 , < d027951dc85cb2e15924c980dc22a6754d100c7c (git)

Linux

Affected: 2.6.18
Unaffected: 0 , < 2.6.18 (semver)
Unaffected: 5.4.293 , ≤ 5.4.* (semver)
Unaffected: 5.10.237 , ≤ 5.10.* (semver)
Unaffected: 5.15.181 , ≤ 5.15.* (semver)
Unaffected: 6.1.135 , ≤ 6.1.* (semver)
Unaffected: 6.6.88 , ≤ 6.6.* (semver)
Unaffected: 6.12.24 , ≤ 6.12.* (semver)
Unaffected: 6.13.12 , ≤ 6.13.* (semver)
Unaffected: 6.14.3 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:57:03.688Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/inftlcore.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "b828d394308e8e00df0a6f57e7dabae609bb8b7b",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            },
            {
              "lessThan": "0300e751170cf80c05ca1a762a7b449e8ca6b693",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            },
            {
              "lessThan": "e7d6ceff95c55297f0ee8f9dbc4da5c558f30e9e",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            },
            {
              "lessThan": "6af3b92b1c0b58ca281d0e1501bad2567f73c1a5",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            },
            {
              "lessThan": "7772621041ee78823ccc5f1fe38f6faa22af7023",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            },
            {
              "lessThan": "5479a6af3c96f73bec2d2819532b6d6814f52dd6",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            },
            {
              "lessThan": "1c22356dfb041e5292835c9ff44d5f91bef8dd18",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            },
            {
              "lessThan": "114d94f095aa405fa9a51484c4be34846d7bb386",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            },
            {
              "lessThan": "d027951dc85cb2e15924c980dc22a6754d100c7c",
              "status": "affected",
              "version": "8593fbc68b0df1168995de76d1af38eb62fd6b62",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/mtd/inftlcore.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.18"
            },
            {
              "lessThan": "2.6.18",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.293",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.237",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.181",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.135",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.88",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.24",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.12",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.3",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.293",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.237",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.181",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.135",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.88",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.24",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.12",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.3",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "2.6.18",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nmtd: inftlcore: Add error check for inftl_read_oob()\n\nIn INFTL_findwriteunit(), the return value of inftl_read_oob()\nneed to be checked. A proper implementation can be\nfound in INFTL_deleteblock(). The status will be set as\nSECTOR_IGNORE to break from the while-loop correctly\nif the inftl_read_oob() fails."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:23:09.598Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/b828d394308e8e00df0a6f57e7dabae609bb8b7b"
        },
        {
          "url": "https://git.kernel.org/stable/c/0300e751170cf80c05ca1a762a7b449e8ca6b693"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7d6ceff95c55297f0ee8f9dbc4da5c558f30e9e"
        },
        {
          "url": "https://git.kernel.org/stable/c/6af3b92b1c0b58ca281d0e1501bad2567f73c1a5"
        },
        {
          "url": "https://git.kernel.org/stable/c/7772621041ee78823ccc5f1fe38f6faa22af7023"
        },
        {
          "url": "https://git.kernel.org/stable/c/5479a6af3c96f73bec2d2819532b6d6814f52dd6"
        },
        {
          "url": "https://git.kernel.org/stable/c/1c22356dfb041e5292835c9ff44d5f91bef8dd18"
        },
        {
          "url": "https://git.kernel.org/stable/c/114d94f095aa405fa9a51484c4be34846d7bb386"
        },
        {
          "url": "https://git.kernel.org/stable/c/d027951dc85cb2e15924c980dc22a6754d100c7c"
        }
      ],
      "title": "mtd: inftlcore: Add error check for inftl_read_oob()",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-37892",
    "datePublished": "2025-05-20T11:00:26.977Z",
    "dateReserved": "2025-04-16T04:51:23.964Z",
    "dateUpdated": "2025-11-03T19:57:03.688Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-21912 (GCVE-0-2025-21912)

Vulnerability from cvelistv5 – Published: 2025-04-01 15:40 – Updated: 2026-01-02 15:28

Title

gpio: rcar: Use raw_spinlock to protect register access

Summary

In the Linux kernel, the following vulnerability has been resolved: gpio: rcar: Use raw_spinlock to protect register access Use raw_spinlock in order to fix spurious messages about invalid context when spinlock debugging is enabled. The lock is only used to serialize register access. [ 4.239592] ============================= [ 4.239595] [ BUG: Invalid wait context ] [ 4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted [ 4.239603] ----------------------------- [ 4.239606] kworker/u8:5/76 is trying to lock: [ 4.239609] ffff0000091898a0 (&p->lock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.239641] other info that might help us debug this: [ 4.239643] context-{5:5} [ 4.239646] 5 locks held by kworker/u8:5/76: [ 4.239651] #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c [ 4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property 'frame-master' with a value. [ 4.254094] #1: ffff80008299bd80 ((work_completion)(&entry->work)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c [ 4.254109] #2: ffff00000920c8f8 [ 4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'bitclock-master' with a value. [ 4.264803] (&dev->mutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc [ 4.264820] #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690 [ 4.264840] #4: [ 4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property 'frame-master' with a value. [ 4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690 [ 4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz [ 4.304082] stack backtrace: [ 4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 [ 4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT) [ 4.304097] Workqueue: async async_run_entry_fn [ 4.304106] Call trace: [ 4.304110] show_stack+0x14/0x20 (C) [ 4.304122] dump_stack_lvl+0x6c/0x90 [ 4.304131] dump_stack+0x14/0x1c [ 4.304138] __lock_acquire+0xdfc/0x1584 [ 4.426274] lock_acquire+0x1c4/0x33c [ 4.429942] _raw_spin_lock_irqsave+0x5c/0x80 [ 4.434307] gpio_rcar_config_interrupt_input_mode+0x34/0x164 [ 4.440061] gpio_rcar_irq_set_type+0xd4/0xd8 [ 4.444422] __irq_set_trigger+0x5c/0x178 [ 4.448435] __setup_irq+0x2e4/0x690 [ 4.452012] request_threaded_irq+0xc4/0x190 [ 4.456285] devm_request_threaded_irq+0x7c/0xf4 [ 4.459398] ata1: link resume succeeded after 1 retries [ 4.460902] mmc_gpiod_request_cd_irq+0x68/0xe0 [ 4.470660] mmc_start_host+0x50/0xac [ 4.474327] mmc_add_host+0x80/0xe4 [ 4.477817] tmio_mmc_host_probe+0x2b0/0x440 [ 4.482094] renesas_sdhi_probe+0x488/0x6f4 [ 4.486281] renesas_sdhi_internal_dmac_probe+0x60/0x78 [ 4.491509] platform_probe+0x64/0xd8 [ 4.495178] really_probe+0xb8/0x2a8 [ 4.498756] __driver_probe_device+0x74/0x118 [ 4.503116] driver_probe_device+0x3c/0x154 [ 4.507303] __device_attach_driver+0xd4/0x160 [ 4.511750] bus_for_each_drv+0x84/0xe0 [ 4.515588] __device_attach_async_helper+0xb0/0xdc [ 4.520470] async_run_entry_fn+0x30/0xd8 [ 4.524481] process_one_work+0x210/0x62c [ 4.528494] worker_thread+0x1ac/0x340 [ 4.532245] kthread+0x10c/0x110 [ 4.535476] ret_from_fork+0x10/0x20

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/389891ac9f678baf6…
	https://git.kernel.org/stable/c/7c1f36f9c9aca507d…
	https://git.kernel.org/stable/c/3e300913c42041e81…
	https://git.kernel.org/stable/c/c10365031f16514a2…
	https://git.kernel.org/stable/c/b42c84f9e4ec5bc28…
	https://git.kernel.org/stable/c/51ef3073493e2a25d…
	https://git.kernel.org/stable/c/f02c41f87cfe61440…

Impacted products

Vendor

Product

Version

Linux

Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < 389891ac9f678baf68e13623ef1308493af4b074 (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < 7c1f36f9c9aca507d317479a3d3388150ae40a87 (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < 3e300913c42041e81c5b17a970c4e078086ff2d1 (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < c10365031f16514a29c812cd909085a6e4ea4b61 (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < b42c84f9e4ec5bc2885e7fd80c79ec0352f5d2af (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < 51ef3073493e2a25dced05fdd59dfb059e7e284d (git)
Affected: 119f5e448d32c11faf22fe81f6f2d78467a47149 , < f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5 (git)

Linux

Affected: 3.10
Unaffected: 0 , < 3.10 (semver)
Unaffected: 5.10.241 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.131 , ≤ 6.1.* (semver)
Unaffected: 6.6.83 , ≤ 6.6.* (semver)
Unaffected: 6.12.19 , ≤ 6.12.* (semver)
Unaffected: 6.13.7 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:38:58.412Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/10/msg00007.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-rcar.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "389891ac9f678baf68e13623ef1308493af4b074",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "7c1f36f9c9aca507d317479a3d3388150ae40a87",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "3e300913c42041e81c5b17a970c4e078086ff2d1",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "c10365031f16514a29c812cd909085a6e4ea4b61",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "b42c84f9e4ec5bc2885e7fd80c79ec0352f5d2af",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "51ef3073493e2a25dced05fdd59dfb059e7e284d",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            },
            {
              "lessThan": "f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5",
              "status": "affected",
              "version": "119f5e448d32c11faf22fe81f6f2d78467a47149",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpio/gpio-rcar.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "3.10"
            },
            {
              "lessThan": "3.10",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.241",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.131",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.83",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.19",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.7",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.241",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.131",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.83",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.19",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.7",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "3.10",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ngpio: rcar: Use raw_spinlock to protect register access\n\nUse raw_spinlock in order to fix spurious messages about invalid context\nwhen spinlock debugging is enabled. The lock is only used to serialize\nregister access.\n\n    [    4.239592] =============================\n    [    4.239595] [ BUG: Invalid wait context ]\n    [    4.239599] 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35 Not tainted\n    [    4.239603] -----------------------------\n    [    4.239606] kworker/u8:5/76 is trying to lock:\n    [    4.239609] ffff0000091898a0 (\u0026p-\u003elock){....}-{3:3}, at: gpio_rcar_config_interrupt_input_mode+0x34/0x164\n    [    4.239641] other info that might help us debug this:\n    [    4.239643] context-{5:5}\n    [    4.239646] 5 locks held by kworker/u8:5/76:\n    [    4.239651]  #0: ffff0000080fb148 ((wq_completion)async){+.+.}-{0:0}, at: process_one_work+0x190/0x62c\n    [    4.250180] OF: /soc/sound@ec500000/ports/port@0/endpoint: Read of boolean property \u0027frame-master\u0027 with a value.\n    [    4.254094]  #1: ffff80008299bd80 ((work_completion)(\u0026entry-\u003ework)){+.+.}-{0:0}, at: process_one_work+0x1b8/0x62c\n    [    4.254109]  #2: ffff00000920c8f8\n    [    4.258345] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property \u0027bitclock-master\u0027 with a value.\n    [    4.264803]  (\u0026dev-\u003emutex){....}-{4:4}, at: __device_attach_async_helper+0x3c/0xdc\n    [    4.264820]  #3: ffff00000a50ca40 (request_class#2){+.+.}-{4:4}, at: __setup_irq+0xa0/0x690\n    [    4.264840]  #4:\n    [    4.268872] OF: /soc/sound@ec500000/ports/port@1/endpoint: Read of boolean property \u0027frame-master\u0027 with a value.\n    [    4.273275] ffff00000a50c8c8 (lock_class){....}-{2:2}, at: __setup_irq+0xc4/0x690\n    [    4.296130] renesas_sdhi_internal_dmac ee100000.mmc: mmc1 base at 0x00000000ee100000, max clock rate 200 MHz\n    [    4.304082] stack backtrace:\n    [    4.304086] CPU: 1 UID: 0 PID: 76 Comm: kworker/u8:5 Not tainted 6.13.0-rc7-arm64-renesas-05496-gd088502a519f #35\n    [    4.304092] Hardware name: Renesas Salvator-X 2nd version board based on r8a77965 (DT)\n    [    4.304097] Workqueue: async async_run_entry_fn\n    [    4.304106] Call trace:\n    [    4.304110]  show_stack+0x14/0x20 (C)\n    [    4.304122]  dump_stack_lvl+0x6c/0x90\n    [    4.304131]  dump_stack+0x14/0x1c\n    [    4.304138]  __lock_acquire+0xdfc/0x1584\n    [    4.426274]  lock_acquire+0x1c4/0x33c\n    [    4.429942]  _raw_spin_lock_irqsave+0x5c/0x80\n    [    4.434307]  gpio_rcar_config_interrupt_input_mode+0x34/0x164\n    [    4.440061]  gpio_rcar_irq_set_type+0xd4/0xd8\n    [    4.444422]  __irq_set_trigger+0x5c/0x178\n    [    4.448435]  __setup_irq+0x2e4/0x690\n    [    4.452012]  request_threaded_irq+0xc4/0x190\n    [    4.456285]  devm_request_threaded_irq+0x7c/0xf4\n    [    4.459398] ata1: link resume succeeded after 1 retries\n    [    4.460902]  mmc_gpiod_request_cd_irq+0x68/0xe0\n    [    4.470660]  mmc_start_host+0x50/0xac\n    [    4.474327]  mmc_add_host+0x80/0xe4\n    [    4.477817]  tmio_mmc_host_probe+0x2b0/0x440\n    [    4.482094]  renesas_sdhi_probe+0x488/0x6f4\n    [    4.486281]  renesas_sdhi_internal_dmac_probe+0x60/0x78\n    [    4.491509]  platform_probe+0x64/0xd8\n    [    4.495178]  really_probe+0xb8/0x2a8\n    [    4.498756]  __driver_probe_device+0x74/0x118\n    [    4.503116]  driver_probe_device+0x3c/0x154\n    [    4.507303]  __device_attach_driver+0xd4/0x160\n    [    4.511750]  bus_for_each_drv+0x84/0xe0\n    [    4.515588]  __device_attach_async_helper+0xb0/0xdc\n    [    4.520470]  async_run_entry_fn+0x30/0xd8\n    [    4.524481]  process_one_work+0x210/0x62c\n    [    4.528494]  worker_thread+0x1ac/0x340\n    [    4.532245]  kthread+0x10c/0x110\n    [    4.535476]  ret_from_fork+0x10/0x20"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-02T15:28:38.362Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/389891ac9f678baf68e13623ef1308493af4b074"
        },
        {
          "url": "https://git.kernel.org/stable/c/7c1f36f9c9aca507d317479a3d3388150ae40a87"
        },
        {
          "url": "https://git.kernel.org/stable/c/3e300913c42041e81c5b17a970c4e078086ff2d1"
        },
        {
          "url": "https://git.kernel.org/stable/c/c10365031f16514a29c812cd909085a6e4ea4b61"
        },
        {
          "url": "https://git.kernel.org/stable/c/b42c84f9e4ec5bc2885e7fd80c79ec0352f5d2af"
        },
        {
          "url": "https://git.kernel.org/stable/c/51ef3073493e2a25dced05fdd59dfb059e7e284d"
        },
        {
          "url": "https://git.kernel.org/stable/c/f02c41f87cfe61440c18bf77d1ef0a884b9ee2b5"
        }
      ],
      "title": "gpio: rcar: Use raw_spinlock to protect register access",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-21912",
    "datePublished": "2025-04-01T15:40:50.299Z",
    "dateReserved": "2024-12-29T08:45:45.787Z",
    "dateUpdated": "2026-01-02T15:28:38.362Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-58063 (GCVE-0-2024-58063)

Vulnerability from cvelistv5 – Published: 2025-03-06 15:54 – Updated: 2025-11-03 19:33

Title

wifi: rtlwifi: fix memory leaks and invalid access at probe error path

Summary

In the Linux kernel, the following vulnerability has been resolved: wifi: rtlwifi: fix memory leaks and invalid access at probe error path Deinitialize at reverse order when probe fails. When init_sw_vars fails, rtl_deinit_core should not be called, specially now that it destroys the rtl_wq workqueue. And call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be leaked. Remove pci_set_drvdata call as it will already be cleaned up by the core driver code and could lead to memory leaks too. cf. commit 8d450935ae7f ("wireless: rtlwifi: remove unnecessary pci_set_drvdata()") and commit 3d86b93064c7 ("rtlwifi: Fix PCI probe error path orphaned memory").

Severity ?

5.5 (Medium)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE

CWE-401 - Missing Release of Memory after Effective Lifetime

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/85b67b4c4a0f8a6fb…
	https://git.kernel.org/stable/c/455e0f40b5352186a…
	https://git.kernel.org/stable/c/b96371339fd9cac90…
	https://git.kernel.org/stable/c/ee0b0d7baa8a6d42c…
	https://git.kernel.org/stable/c/624cea89a0865a2bc…
	https://git.kernel.org/stable/c/32acebca0a51f5e37…
	https://git.kernel.org/stable/c/6b76bab5c25746330…
	https://git.kernel.org/stable/c/e7ceefbfd8d447abc…

Impacted products

Vendor

Product

Version

Linux

Affected: 0c8173385e549f95cd80c3fff5aab87b4f881d8d , < 85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df (git)
Affected: 0c8173385e549f95cd80c3fff5aab87b4f881d8d , < 455e0f40b5352186a9095f2135d5c89255e7c39a (git)
Affected: 0c8173385e549f95cd80c3fff5aab87b4f881d8d , < b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7 (git)
Affected: 0c8173385e549f95cd80c3fff5aab87b4f881d8d , < ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47 (git)
Affected: 0c8173385e549f95cd80c3fff5aab87b4f881d8d , < 624cea89a0865a2bc3e00182a6b0f954a94328b4 (git)
Affected: 0c8173385e549f95cd80c3fff5aab87b4f881d8d , < 32acebca0a51f5e372536bfdc0d7d332ab749013 (git)
Affected: 0c8173385e549f95cd80c3fff5aab87b4f881d8d , < 6b76bab5c257463302c9e97f5d84d524457468eb (git)
Affected: 0c8173385e549f95cd80c3fff5aab87b4f881d8d , < e7ceefbfd8d447abc8aca8ab993a942803522c06 (git)

Linux

Affected: 2.6.38
Unaffected: 0 , < 2.6.38 (semver)
Unaffected: 5.4.291 , ≤ 5.4.* (semver)
Unaffected: 5.10.235 , ≤ 5.10.* (semver)
Unaffected: 5.15.179 , ≤ 5.15.* (semver)
Unaffected: 6.1.129 , ≤ 6.1.* (semver)
Unaffected: 6.6.76 , ≤ 6.6.* (semver)
Unaffected: 6.12.13 , ≤ 6.12.* (semver)
Unaffected: 6.13.2 , ≤ 6.13.* (semver)
Unaffected: 6.14 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "LOCAL",
              "availabilityImpact": "HIGH",
              "baseScore": 5.5,
              "baseSeverity": "MEDIUM",
              "confidentialityImpact": "NONE",
              "integrityImpact": "NONE",
              "privilegesRequired": "LOW",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2024-58063",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-01T19:28:06.599973Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "problemTypes": [
          {
            "descriptions": [
              {
                "cweId": "CWE-401",
                "description": "CWE-401 Missing Release of Memory after Effective Lifetime",
                "lang": "en",
                "type": "CWE"
              }
            ]
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-01T19:36:37.487Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      },
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:33:58.900Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00030.html"
          },
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00028.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "455e0f40b5352186a9095f2135d5c89255e7c39a",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "624cea89a0865a2bc3e00182a6b0f954a94328b4",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "32acebca0a51f5e372536bfdc0d7d332ab749013",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "6b76bab5c257463302c9e97f5d84d524457468eb",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            },
            {
              "lessThan": "e7ceefbfd8d447abc8aca8ab993a942803522c06",
              "status": "affected",
              "version": "0c8173385e549f95cd80c3fff5aab87b4f881d8d",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/net/wireless/realtek/rtlwifi/pci.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "2.6.38"
            },
            {
              "lessThan": "2.6.38",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.4.*",
              "status": "unaffected",
              "version": "5.4.291",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.10.*",
              "status": "unaffected",
              "version": "5.10.235",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "5.15.*",
              "status": "unaffected",
              "version": "5.15.179",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.129",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.76",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.13",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.14",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.4.291",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.10.235",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "5.15.179",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.129",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.76",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.13",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.2",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14",
                  "versionStartIncluding": "2.6.38",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: rtlwifi: fix memory leaks and invalid access at probe error path\n\nDeinitialize at reverse order when probe fails.\n\nWhen init_sw_vars fails, rtl_deinit_core should not be called, specially\nnow that it destroys the rtl_wq workqueue.\n\nAnd call rtl_pci_deinit and deinit_sw_vars, otherwise, memory will be\nleaked.\n\nRemove pci_set_drvdata call as it will already be cleaned up by the core\ndriver code and could lead to memory leaks too. cf. commit 8d450935ae7f\n(\"wireless: rtlwifi: remove unnecessary pci_set_drvdata()\") and\ncommit 3d86b93064c7 (\"rtlwifi: Fix PCI probe error path orphaned memory\")."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-04T10:09:07.007Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/85b67b4c4a0f8a6fb20cf4ef7684ff2b0cf559df"
        },
        {
          "url": "https://git.kernel.org/stable/c/455e0f40b5352186a9095f2135d5c89255e7c39a"
        },
        {
          "url": "https://git.kernel.org/stable/c/b96371339fd9cac90f5ee4ac17ee5c4cbbdfa6f7"
        },
        {
          "url": "https://git.kernel.org/stable/c/ee0b0d7baa8a6d42c7988f6e50c8f164cdf3fa47"
        },
        {
          "url": "https://git.kernel.org/stable/c/624cea89a0865a2bc3e00182a6b0f954a94328b4"
        },
        {
          "url": "https://git.kernel.org/stable/c/32acebca0a51f5e372536bfdc0d7d332ab749013"
        },
        {
          "url": "https://git.kernel.org/stable/c/6b76bab5c257463302c9e97f5d84d524457468eb"
        },
        {
          "url": "https://git.kernel.org/stable/c/e7ceefbfd8d447abc8aca8ab993a942803522c06"
        }
      ],
      "title": "wifi: rtlwifi: fix memory leaks and invalid access at probe error path",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2024-58063",
    "datePublished": "2025-03-06T15:54:05.258Z",
    "dateReserved": "2025-03-06T15:52:09.181Z",
    "dateUpdated": "2025-11-03T19:33:58.900Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2025-22093 (GCVE-0-2025-22093)

Vulnerability from cvelistv5 – Published: 2025-04-16 14:12 – Updated: 2025-11-03 19:42

Title

drm/amd/display: avoid NPD when ASIC does not support DMUB

Summary

In the Linux kernel, the following vulnerability has been resolved: drm/amd/display: avoid NPD when ASIC does not support DMUB ctx->dmub_srv will de NULL if the ASIC does not support DMUB, which is tested in dm_dmub_sw_init. However, it will be dereferenced in dmub_hw_lock_mgr_cmd if should_use_dmub_lock returns true. This has been the case since dmub support has been added for PSR1. Fix this by checking for dmub_srv in should_use_dmub_lock. [ 37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058 [ 37.447808] #PF: supervisor read access in kernel mode [ 37.452959] #PF: error_code(0x0000) - not-present page [ 37.458112] PGD 0 P4D 0 [ 37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI [ 37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88 [ 37.478324] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023 [ 37.487103] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0 [ 37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 <48> 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5 [ 37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202 [ 37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358 [ 37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000 [ 37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5 [ 37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000 [ 37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000 [ 37.551725] FS: 0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000 [ 37.559814] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0 [ 37.572697] Call Trace: [ 37.575152] <TASK> [ 37.577258] ? __die_body+0x66/0xb0 [ 37.580756] ? page_fault_oops+0x3e7/0x4a0 [ 37.584861] ? exc_page_fault+0x3e/0xe0 [ 37.588706] ? exc_page_fault+0x5c/0xe0 [ 37.592550] ? asm_exc_page_fault+0x22/0x30 [ 37.596742] ? dmub_hw_lock_mgr_cmd+0x77/0xb0 [ 37.601107] dcn10_cursor_lock+0x1e1/0x240 [ 37.605211] program_cursor_attributes+0x81/0x190 [ 37.609923] commit_planes_for_stream+0x998/0x1ef0 [ 37.614722] update_planes_and_stream_v2+0x41e/0x5c0 [ 37.619703] dc_update_planes_and_stream+0x78/0x140 [ 37.624588] amdgpu_dm_atomic_commit_tail+0x4362/0x49f0 [ 37.629832] ? srso_return_thunk+0x5/0x5f [ 37.633847] ? mark_held_locks+0x6d/0xd0 [ 37.637774] ? _raw_spin_unlock_irq+0x24/0x50 [ 37.642135] ? srso_return_thunk+0x5/0x5f [ 37.646148] ? lockdep_hardirqs_on+0x95/0x150 [ 37.650510] ? srso_return_thunk+0x5/0x5f [ 37.654522] ? _raw_spin_unlock_irq+0x2f/0x50 [ 37.658883] ? srso_return_thunk+0x5/0x5f [ 37.662897] ? wait_for_common+0x186/0x1c0 [ 37.666998] ? srso_return_thunk+0x5/0x5f [ 37.671009] ? drm_crtc_next_vblank_start+0xc3/0x170 [ 37.675983] commit_tail+0xf5/0x1c0 [ 37.679478] drm_atomic_helper_commit+0x2a2/0x2b0 [ 37.684186] drm_atomic_commit+0xd6/0x100 [ 37.688199] ? __cfi___drm_printfn_info+0x10/0x10 [ 37.692911] drm_atomic_helper_update_plane+0xe5/0x130 [ 37.698054] drm_mode_cursor_common+0x501/0x670 [ 37.702600] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10 [ 37.707572] drm_mode_cursor_ioctl+0x48/0x70 [ 37.711851] drm_ioctl_kernel+0xf2/0x150 [ 37.715781] drm_ioctl+0x363/0x590 [ 37.719189] ? __cfi_drm_mode_cursor_ioctl+0x10/0x10 [ 37.724165] amdgpu_drm_ioctl+0x41/0x80 [ 37.728013] __se_sys_ioctl+0x7f/0xd0 [ 37.731685] do_syscall_64+0x87/0x100 [ 37.735355] ? vma_end_read+0x12/0xe0 [ 37.739024] ? srso_return_thunk+0x5/0x5f [ 37.743041] ? find_held_lock+0x47/0xf0 [ 37.746884] ? vma_end_read+0x12/0xe0 [ 37.750552] ? srso_return_thunk+0x5/0 ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/d953e2cd59ab46656…
	https://git.kernel.org/stable/c/b3a93a2407ad23c8d…
	https://git.kernel.org/stable/c/3453bcaf2ca926593…
	https://git.kernel.org/stable/c/5e4b1e04740cdb28d…
	https://git.kernel.org/stable/c/35ad39afd007eddf3…
	https://git.kernel.org/stable/c/42d9d7bed270247f1…

Impacted products

Vendor

Product

Version

Linux

Affected: b7d2461858ac75c9d6bc4ab8af1a738d0814b716 , < d953e2cd59ab466569c6f9da460e01caf1c83559 (git)
Affected: 758abba3dd413dc5de2016f8588403294263a30a , < b3a93a2407ad23c8d5bacabaf7cecbb4c6cdd461 (git)
Affected: 4b46fc30b37e457d25cf3908c0c4dc3fbedd2044 , < 3453bcaf2ca92659346bf8504c2b52b3993fbd79 (git)
Affected: b5c764d6ed556c4e81fbe3fd976da77ec450c08e , < 5e4b1e04740cdb28de189285007366d99a92f1ce (git)
Affected: b5c764d6ed556c4e81fbe3fd976da77ec450c08e , < 35ad39afd007eddf34b3307bebb715c26891cc96 (git)
Affected: b5c764d6ed556c4e81fbe3fd976da77ec450c08e , < 42d9d7bed270247f134190ba0cb05bbd072f58c2 (git)

Linux

Affected: 6.13
Unaffected: 0 , < 6.13 (semver)
Unaffected: 6.1.134 , ≤ 6.1.* (semver)
Unaffected: 6.6.87 , ≤ 6.6.* (semver)
Unaffected: 6.12.23 , ≤ 6.12.* (semver)
Unaffected: 6.13.11 , ≤ 6.13.* (semver)
Unaffected: 6.14.2 , ≤ 6.14.* (semver)
Unaffected: 6.15 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

To clipboard Create KEV Entry

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2025-11-03T19:42:10.365Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00045.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "lessThan": "d953e2cd59ab466569c6f9da460e01caf1c83559",
              "status": "affected",
              "version": "b7d2461858ac75c9d6bc4ab8af1a738d0814b716",
              "versionType": "git"
            },
            {
              "lessThan": "b3a93a2407ad23c8d5bacabaf7cecbb4c6cdd461",
              "status": "affected",
              "version": "758abba3dd413dc5de2016f8588403294263a30a",
              "versionType": "git"
            },
            {
              "lessThan": "3453bcaf2ca92659346bf8504c2b52b3993fbd79",
              "status": "affected",
              "version": "4b46fc30b37e457d25cf3908c0c4dc3fbedd2044",
              "versionType": "git"
            },
            {
              "lessThan": "5e4b1e04740cdb28de189285007366d99a92f1ce",
              "status": "affected",
              "version": "b5c764d6ed556c4e81fbe3fd976da77ec450c08e",
              "versionType": "git"
            },
            {
              "lessThan": "35ad39afd007eddf34b3307bebb715c26891cc96",
              "status": "affected",
              "version": "b5c764d6ed556c4e81fbe3fd976da77ec450c08e",
              "versionType": "git"
            },
            {
              "lessThan": "42d9d7bed270247f134190ba0cb05bbd072f58c2",
              "status": "affected",
              "version": "b5c764d6ed556c4e81fbe3fd976da77ec450c08e",
              "versionType": "git"
            }
          ]
        },
        {
          "defaultStatus": "affected",
          "product": "Linux",
          "programFiles": [
            "drivers/gpu/drm/amd/display/dc/dce/dmub_hw_lock_mgr.c"
          ],
          "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git",
          "vendor": "Linux",
          "versions": [
            {
              "status": "affected",
              "version": "6.13"
            },
            {
              "lessThan": "6.13",
              "status": "unaffected",
              "version": "0",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.1.*",
              "status": "unaffected",
              "version": "6.1.134",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.6.*",
              "status": "unaffected",
              "version": "6.6.87",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.12.*",
              "status": "unaffected",
              "version": "6.12.23",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.13.*",
              "status": "unaffected",
              "version": "6.13.11",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "6.14.*",
              "status": "unaffected",
              "version": "6.14.2",
              "versionType": "semver"
            },
            {
              "lessThanOrEqual": "*",
              "status": "unaffected",
              "version": "6.15",
              "versionType": "original_commit_for_fix"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.1.134",
                  "versionStartIncluding": "6.1.128",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.6.87",
                  "versionStartIncluding": "6.6.75",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.12.23",
                  "versionStartIncluding": "6.12.12",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.13.11",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.14.2",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "6.15",
                  "versionStartIncluding": "6.13",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: avoid NPD when ASIC does not support DMUB\n\nctx-\u003edmub_srv will de NULL if the ASIC does not support DMUB, which is\ntested in dm_dmub_sw_init.\n\nHowever, it will be dereferenced in dmub_hw_lock_mgr_cmd if\nshould_use_dmub_lock returns true.\n\nThis has been the case since dmub support has been added for PSR1.\n\nFix this by checking for dmub_srv in should_use_dmub_lock.\n\n[   37.440832] BUG: kernel NULL pointer dereference, address: 0000000000000058\n[   37.447808] #PF: supervisor read access in kernel mode\n[   37.452959] #PF: error_code(0x0000) - not-present page\n[   37.458112] PGD 0 P4D 0\n[   37.460662] Oops: Oops: 0000 [#1] PREEMPT SMP NOPTI\n[   37.465553] CPU: 2 UID: 1000 PID: 1745 Comm: DrmThread Not tainted 6.14.0-rc1-00003-gd62e938120f0 #23 99720e1cb1e0fc4773b8513150932a07de3c6e88\n[   37.478324] Hardware name: Google Morphius/Morphius, BIOS Google_Morphius.13434.858.0 10/26/2023\n[   37.487103] RIP: 0010:dmub_hw_lock_mgr_cmd+0x77/0xb0\n[   37.492074] Code: 44 24 0e 00 00 00 00 48 c7 04 24 45 00 00 0c 40 88 74 24 0d 0f b6 02 88 44 24 0c 8b 01 89 44 24 08 85 f6 75 05 c6 44 24 0e 01 \u003c48\u003e 8b 7f 58 48 89 e6 ba 01 00 00 00 e8 08 3c 2a 00 65 48 8b 04 5\n[   37.510822] RSP: 0018:ffff969442853300 EFLAGS: 00010202\n[   37.516052] RAX: 0000000000000000 RBX: ffff92db03000000 RCX: ffff969442853358\n[   37.523185] RDX: ffff969442853368 RSI: 0000000000000001 RDI: 0000000000000000\n[   37.530322] RBP: 0000000000000001 R08: 00000000000004a7 R09: 00000000000004a5\n[   37.537453] R10: 0000000000000476 R11: 0000000000000062 R12: ffff92db0ade8000\n[   37.544589] R13: ffff92da01180ae0 R14: ffff92da011802a8 R15: ffff92db03000000\n[   37.551725] FS:  0000784a9cdfc6c0(0000) GS:ffff92db2af00000(0000) knlGS:0000000000000000\n[   37.559814] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033\n[   37.565562] CR2: 0000000000000058 CR3: 0000000112b1c000 CR4: 00000000003506f0\n[   37.572697] Call Trace:\n[   37.575152]  \u003cTASK\u003e\n[   37.577258]  ? __die_body+0x66/0xb0\n[   37.580756]  ? page_fault_oops+0x3e7/0x4a0\n[   37.584861]  ? exc_page_fault+0x3e/0xe0\n[   37.588706]  ? exc_page_fault+0x5c/0xe0\n[   37.592550]  ? asm_exc_page_fault+0x22/0x30\n[   37.596742]  ? dmub_hw_lock_mgr_cmd+0x77/0xb0\n[   37.601107]  dcn10_cursor_lock+0x1e1/0x240\n[   37.605211]  program_cursor_attributes+0x81/0x190\n[   37.609923]  commit_planes_for_stream+0x998/0x1ef0\n[   37.614722]  update_planes_and_stream_v2+0x41e/0x5c0\n[   37.619703]  dc_update_planes_and_stream+0x78/0x140\n[   37.624588]  amdgpu_dm_atomic_commit_tail+0x4362/0x49f0\n[   37.629832]  ? srso_return_thunk+0x5/0x5f\n[   37.633847]  ? mark_held_locks+0x6d/0xd0\n[   37.637774]  ? _raw_spin_unlock_irq+0x24/0x50\n[   37.642135]  ? srso_return_thunk+0x5/0x5f\n[   37.646148]  ? lockdep_hardirqs_on+0x95/0x150\n[   37.650510]  ? srso_return_thunk+0x5/0x5f\n[   37.654522]  ? _raw_spin_unlock_irq+0x2f/0x50\n[   37.658883]  ? srso_return_thunk+0x5/0x5f\n[   37.662897]  ? wait_for_common+0x186/0x1c0\n[   37.666998]  ? srso_return_thunk+0x5/0x5f\n[   37.671009]  ? drm_crtc_next_vblank_start+0xc3/0x170\n[   37.675983]  commit_tail+0xf5/0x1c0\n[   37.679478]  drm_atomic_helper_commit+0x2a2/0x2b0\n[   37.684186]  drm_atomic_commit+0xd6/0x100\n[   37.688199]  ? __cfi___drm_printfn_info+0x10/0x10\n[   37.692911]  drm_atomic_helper_update_plane+0xe5/0x130\n[   37.698054]  drm_mode_cursor_common+0x501/0x670\n[   37.702600]  ? __cfi_drm_mode_cursor_ioctl+0x10/0x10\n[   37.707572]  drm_mode_cursor_ioctl+0x48/0x70\n[   37.711851]  drm_ioctl_kernel+0xf2/0x150\n[   37.715781]  drm_ioctl+0x363/0x590\n[   37.719189]  ? __cfi_drm_mode_cursor_ioctl+0x10/0x10\n[   37.724165]  amdgpu_drm_ioctl+0x41/0x80\n[   37.728013]  __se_sys_ioctl+0x7f/0xd0\n[   37.731685]  do_syscall_64+0x87/0x100\n[   37.735355]  ? vma_end_read+0x12/0xe0\n[   37.739024]  ? srso_return_thunk+0x5/0x5f\n[   37.743041]  ? find_held_lock+0x47/0xf0\n[   37.746884]  ? vma_end_read+0x12/0xe0\n[   37.750552]  ? srso_return_thunk+0x5/0\n---truncated---"
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-26T05:18:19.025Z",
        "orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
        "shortName": "Linux"
      },
      "references": [
        {
          "url": "https://git.kernel.org/stable/c/d953e2cd59ab466569c6f9da460e01caf1c83559"
        },
        {
          "url": "https://git.kernel.org/stable/c/b3a93a2407ad23c8d5bacabaf7cecbb4c6cdd461"
        },
        {
          "url": "https://git.kernel.org/stable/c/3453bcaf2ca92659346bf8504c2b52b3993fbd79"
        },
        {
          "url": "https://git.kernel.org/stable/c/5e4b1e04740cdb28de189285007366d99a92f1ce"
        },
        {
          "url": "https://git.kernel.org/stable/c/35ad39afd007eddf34b3307bebb715c26891cc96"
        },
        {
          "url": "https://git.kernel.org/stable/c/42d9d7bed270247f134190ba0cb05bbd072f58c2"
        }
      ],
      "title": "drm/amd/display: avoid NPD when ASIC does not support DMUB",
      "x_generator": {
        "engine": "bippy-1.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67",
    "assignerShortName": "Linux",
    "cveId": "CVE-2025-22093",
    "datePublished": "2025-04-16T14:12:44.802Z",
    "dateReserved": "2024-12-29T08:45:45.818Z",
    "dateUpdated": "2025-11-03T19:42:10.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2024-56664 (GCVE-0-2024-56664)

Vulnerability from cvelistv5 – Published: 2024-12-27 15:06 – Updated: 2025-11-03 20:52

Title

bpf, sockmap: Fix race between element replace and close()

Summary

In the Linux kernel, the following vulnerability has been resolved: bpf, sockmap: Fix race between element replace and close() Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: // set map[0] = s0 map_update_elem(map, 0, s0) // drop fd of s0 close(s0) sock_map_close() lock_sock(sk) (s0!) sock_map_remove_links(sk) link = sk_psock_link_pop() sock_map_unlink(sk, link) sock_map_delete_from_link // replace map[0] with s1 map_update_elem(map, 0, s1) sock_map_update_elem (s1!) lock_sock(sk) sock_map_update_common psock = sk_psock(sk) spin_lock(&stab->lock) osk = stab->sks[idx] sock_map_add_link(..., &stab->sks[idx]) sock_map_unref(osk, &stab->sks[idx]) psock = sk_psock(osk) sk_psock_put(sk, psock) if (refcount_dec_and_test(&psock)) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) unlock_sock(sk) __sock_map_delete spin_lock(&stab->lock) sk = *psk // s1 replaced s0; sk == s1 if (!sk_test || sk_test == sk) // sk_test (s0) != sk (s1); no branch sk = xchg(psk, NULL) if (sk) sock_map_unref(sk, psk) // unref s1; sks[idx] will dangle psock = sk_psock(sk) sk_psock_put(sk, psock) if (refcount_dec_and_test()) sk_psock_drop(sk, psock) spin_unlock(&stab->lock) release_sock(sk) Then close(map) enqueues bpf_map_free_deferred, which finally calls sock_map_free(). This results in some refcount_t warnings along with a KASAN splat [1]. Fix __sock_map_delete(), do not allow sock_map_unref() on elements that may have been replaced. [1]: BUG: KASAN: slab-use-after-free in sock_map_free+0x10e/0x330 Write of size 4 at addr ffff88811f5b9100 by task kworker/u64:12/1063 CPU: 14 UID: 0 PID: 1063 Comm: kworker/u64:12 Not tainted 6.12.0+ #125 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Arch Linux 1.16.3-1-1 04/01/2014 Workqueue: events_unbound bpf_map_free_deferred Call Trace: <TASK> dump_stack_lvl+0x68/0x90 print_report+0x174/0x4f6 kasan_report+0xb9/0x190 kasan_check_range+0x10f/0x1e0 sock_map_free+0x10e/0x330 bpf_map_free_deferred+0x173/0x320 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 </TASK> Allocated by task 1202: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x85/0x90 kmem_cache_alloc_noprof+0x131/0x450 sk_prot_alloc+0x5b/0x220 sk_alloc+0x2c/0x870 unix_create1+0x88/0x8a0 unix_create+0xc5/0x180 __sock_create+0x241/0x650 __sys_socketpair+0x1ce/0x420 __x64_sys_socketpair+0x92/0x100 do_syscall_64+0x93/0x180 entry_SYSCALL_64_after_hwframe+0x76/0x7e Freed by task 46: kasan_save_stack+0x1e/0x40 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x60 __kasan_slab_free+0x4b/0x70 kmem_cache_free+0x1a1/0x590 __sk_destruct+0x388/0x5a0 sk_psock_destroy+0x73e/0xa50 process_one_work+0x846/0x1420 worker_thread+0x5b3/0xf80 kthread+0x29e/0x360 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x1a/0x30 The bu ---truncated---

Severity ?

No CVSS data available.

Assigner

Linux

References

URL

Tags

	https://git.kernel.org/stable/c/6deb9e85dc9a2ba44…
	https://git.kernel.org/stable/c/fdb2cd8957ac51f84…
	https://git.kernel.org/stable/c/b79a0d1e9a374d1b3…
	https://git.kernel.org/stable/c/b015f19fedd2e1228…
	https://git.kernel.org/stable/c/bf2318e288f636a88…
	https://git.kernel.org/stable/c/ed1fc5d76b81a4d68…

Impacted products

Vendor

Product

Version

Linux

Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < 6deb9e85dc9a2ba4414b91c1b5b00b8415910890 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < fdb2cd8957ac51f84c9e742ba866087944bb834b (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < b79a0d1e9a374d1b376933a354c4fcd01fce0365 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < b015f19fedd2e12283a8450dd0aefce49ec57015 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < bf2318e288f636a882eea39f7e1015623629f168 (git)
Affected: 604326b41a6fb9b4a78b6179335decee0365cd8c , < ed1fc5d76b81a4d681211333c026202cad4d5649 (git)

Linux

Affected: 4.20
Unaffected: 0 , < 4.20 (semver)
Unaffected: 5.10.236 , ≤ 5.10.* (semver)
Unaffected: 5.15.180 , ≤ 5.15.* (semver)
Unaffected: 6.1.125 , ≤ 6.1.* (semver)
Unaffected: 6.6.67 , ≤ 6.6.* (semver)
Unaffected: 6.12.6 , ≤ 6.12.* (semver)
Unaffected: 6.13 , ≤ * (original_commit_for_fix)

Show details on NVD website

JSON

CERTFR-2025-AVI-0559

Solutions

Action not permitted

CERTFR-2025-AVI-0559

Solutions

CVE-2025-37855 (GCVE-0-2025-37855)

CVE-2025-37744 (GCVE-0-2025-37744)

CVE-2025-21666 (GCVE-0-2025-21666)

CVE-2025-37739 (GCVE-0-2025-37739)

CVE-2024-58017 (GCVE-0-2024-58017)

CVE-2021-47576 (GCVE-0-2021-47576)

CVE-2025-22070 (GCVE-0-2025-22070)

CVE-2025-22039 (GCVE-0-2025-22039)

CVE-2025-22095 (GCVE-0-2025-22095)

CVE-2025-21875 (GCVE-0-2025-21875)

CVE-2025-21877 (GCVE-0-2025-21877)

CVE-2025-22120 (GCVE-0-2025-22120)

CVE-2025-22024 (GCVE-0-2025-22024)

CVE-2025-22105 (GCVE-0-2025-22105)

CVE-2025-37765 (GCVE-0-2025-37765)

CVE-2025-37881 (GCVE-0-2025-37881)

CVE-2025-21772 (GCVE-0-2025-21772)

CVE-2025-22038 (GCVE-0-2025-22038)

CVE-2025-37853 (GCVE-0-2025-37853)

CVE-2025-37834 (GCVE-0-2025-37834)

CVE-2024-57979 (GCVE-0-2024-57979)

CVE-2025-37825 (GCVE-0-2025-37825)

CVE-2022-49909 (GCVE-0-2022-49909)

CVE-2025-21951 (GCVE-0-2025-21951)

CVE-2025-21928 (GCVE-0-2025-21928)

CVE-2025-21898 (GCVE-0-2025-21898)

CVE-2025-21935 (GCVE-0-2025-21935)

CVE-2025-21982 (GCVE-0-2025-21982)

CVE-2024-26982 (GCVE-0-2024-26982)

CVE-2025-37773 (GCVE-0-2025-37773)

CVE-2024-58083 (GCVE-0-2024-58083)

CVE-2025-21906 (GCVE-0-2025-21906)

CVE-2025-22027 (GCVE-0-2025-22027)

CVE-2025-37746 (GCVE-0-2025-37746)

CVE-2025-21979 (GCVE-0-2025-21979)

CVE-2025-37875 (GCVE-0-2025-37875)

CVE-2025-21704 (GCVE-0-2025-21704)

CVE-2022-49636 (GCVE-0-2022-49636)

CVE-2025-21749 (GCVE-0-2025-21749)

CVE-2025-21972 (GCVE-0-2025-21972)

CVE-2025-22113 (GCVE-0-2025-22113)

CVE-2025-37838 (GCVE-0-2025-37838)

CVE-2025-22078 (GCVE-0-2025-22078)

CVE-2025-22015 (GCVE-0-2025-22015)

CVE-2022-3640 (GCVE-0-2022-3640)

CVE-2025-21970 (GCVE-0-2025-21970)

CVE-2025-23152 (GCVE-0-2025-23152)

CVE-2025-23159 (GCVE-0-2025-23159)

CVE-2025-21683 (GCVE-0-2025-21683)

CVE-2025-37886 (GCVE-0-2025-37886)

CVE-2025-21977 (GCVE-0-2025-21977)

CVE-2025-40114 (GCVE-0-2025-40114)

CVE-2025-22000 (GCVE-0-2025-22000)

CVE-2025-37745 (GCVE-0-2025-37745)

CVE-2024-53144 (GCVE-0-2024-53144)

CVE-2025-38152 (GCVE-0-2025-38152)

CVE-2025-21981 (GCVE-0-2025-21981)

CVE-2024-53051 (GCVE-0-2024-53051)

CVE-2025-21934 (GCVE-0-2025-21934)

CVE-2025-37981 (GCVE-0-2025-37981)

CVE-2025-21699 (GCVE-0-2025-21699)

CVE-2025-21866 (GCVE-0-2025-21866)

CVE-2025-39989 (GCVE-0-2025-39989)

CVE-2025-21766 (GCVE-0-2025-21766)

CVE-2025-37783 (GCVE-0-2025-37783)

CVE-2025-21956 (GCVE-0-2025-21956)

CVE-2025-39728 (GCVE-0-2025-39728)

CVE-2025-38104 (GCVE-0-2025-38104)

CVE-2025-22085 (GCVE-0-2025-22085)

CVE-2025-21719 (GCVE-0-2025-21719)

CVE-2024-58095 (GCVE-0-2024-58095)

CVE-2023-52664 (GCVE-0-2023-52664)

CVE-2025-21748 (GCVE-0-2025-21748)

CVE-2025-37872 (GCVE-0-2025-37872)

CVE-2025-37771 (GCVE-0-2025-37771)

CVE-2025-21971 (GCVE-0-2025-21971)

CVE-2025-37761 (GCVE-0-2025-37761)